When Encryption Was a Crime: The 1990s Battle for Free Speech in Software

Part three in Reason's documentary series, "Cypherpunks Write Code," tells the story of the U.S. government's long battle to keep strong cryptography out of the hands of its citizens


HD Download

This is the third installment in Reason's four-part documentary series titled "Cypherpunks Write Code." Watch the complete series here.

In 1977, a team of cryptographers at MIT made an astonishing discovery: a mathematical system for encrypting secret messages so powerful that it had the potential to make government spying effectively impossible.

Before the MIT team could publish a description of how this system worked, the National Security Agency (NSA) made it known that doing so could be considered a federal crime. The 1976 Arms Export Control Act (AECA) made it illegal to distribute munitions in other countries without a license, including cryptography. The penalty for violating AECA was up to 10 years in prison or a fine of up to one million dollars.

It was the beginning of the "crypto wars"—the legal and public relations battle between the intelligence community and privacy activists over the rights of citizens to use end-to-end encryption. Many of those who were involved in the crypto wars were associated with the "cypherpunk movement," a community of hackers, hobbyists, and computer scientists, which the mathematician Eric Hughes once described as "cryptography activists."

The crypto wars continue to this day: On October 11, 2020, U.S. Attorney General William P. Barr issued a joint statement with officials from six other countries that implored tech companies not to use strong end-to-end encryption in their products so that law enforcement agencies can access the communications of their customers.

The government's stance traces back to World War II, when Allied code-breakers helped secure victory by deciphering secret messages sent by the Axis powers. "And that is the origin of the regulations that said, 'This is munition, this is an item of war,'" civil liberties activist John Gilmore told Reason. "And the problem was that they didn't really take freedom of speech, freedom of inquiry, academic freedom, into account in that."

In 1977, the Institute of Electrical and Electronics Engineers, which was planning to hold a conference on cryptography at Cornell University, received a letter from an NSA employee posing as a concerned citizen, who wrote that the U.S. government considered these mathematical systems "modern weapons technologies" and that distributing them was a federal crime. The letter caused widespread alarm in the cryptography community.

In 1977, the computer scientist Mark S. Miller was a 20-year-old student at Yale. Like many future cypherpunks, he read about the breakthrough at MIT in Martin Gardner's "Mathematical Games" column published in Scientific American. The article laid out the astounding details of what"RSA," as it was called after its co-discoverers, Ron Rivest, Adi Shamir, and Leonard Adleman, made possible. Gardner omitted the technical details, but he offered his readers the opportunity to mail in a self-addressed stamped envelope to get a full description. The authors received 7,000 requests for the memo but didn't end up distributing the paper because of the NSA's threats.

"I decided quite literally that they are going to classify this over my dead body," Miller recalls. He traveled to MIT and got his hands on the unpublished paper describing how RSA worked. Then he went to "a variety of different copy shops, so I wasn't making lots of copies in any one place" and mailed them anonymously "to home and hobbyist computer organizations and magazines all across the country."

"I gave copies of the paper to some select friends of mine," Miller told Reason, "and I told them, 'if I disappear, make sure this gets out.'"

The following year, the RSA paper was published in Communications of the A.C.M. "And the world has been on a different course ever since it got published," says Miller.

But the crypto wars were just getting started. By the early 1990s, after the launch of the commercial internet and the web, RSA and public-key cryptography were no longer a rarified topic; they were privacy salvation. Internet users could use RSA to fully disguise their online activities from government spies. This sent the intelligence community once again scrambling to stop the dissemination of this powerful tool.

In 1991, a software developer named Phil Zimmermann released the first relatively easy-to-use, messaging system with end-to-end encryption, which was called Pretty Good Privacy, or PGP. So the U.S. Justice Department launched a three-year criminal investigation of Zimmermann on the grounds that by making his software accessible outside the country, he could be guilty of exporting weapons.

The NSA made the public case that Zimmermann's software would be used by child molesters and criminals. "PGP, they say, is out there to protect freedom fighters in Latvia," Stewart A. Baker, the NSA's general counsel, remarked during a panel discussion at the 1994 Conference on Computers, Freedom, and Privacy. "But the fact is, the only use that has come to the attention of law enforcement agencies is a guy who was using PGP so the police could not tell what little boys he had seduced over the 'net."

"Child pornographers, terrorists, money launderers, take your pick—these are the people who will be invoked as the bringers of death and destruction," Tim May, a former Intel physicist and co-founder of the cypherpunk movement, told Reason. "It's true" that these individuals would make use of end-to-end encryption, May conceded, "but all technologies have had bad effects. Telephones led to extortion, death threats, bomb threats, kidnapping cases. Uncontrolled publishing of books could allow satanic books to appear."

In his 1994 essay "The Cyphernomicon," May referred to terrorists, pedophiles, drug dealers, and money launderers as "The Four Horsemen of the Infocalypse." This fearmongering was the government's main playbook for how "privacy and anonymity [could] be attacked."

The cypherpunks argued that although PGP was encryption software, it was protected by the First Amendment because under the hood it was just a written series of instructions to be carried out by a machine.

The economist and entrepreneur Phil Salin was one of the first to argue this point in an influential 1991 essay titled "Freedom of Speech in Software." Salin wrote that "[r]estraint on freedom of expression of software writers is anathema in a free society and a violation of the First Amendment."

"Encryption can't be controlled whether or not it's powerful or has impacts on the government because it's free speech," says Gilmore, a co-founder of both the cypherpunk movement and the Electronic Frontier Foundation. In the 1990s, he risked going to jail in his campaign to force the government to acknowledge that regulating encryption violated the First Amendment.

"We basically had a community of a thousand people scattered around who were all trying different ideas on how to get around the government to get encryption to the masses," Gilmore recalls.

The Clinton administration noted in a 1995 background congressional briefing that "Americans have no constitutional right to choose their own method of encryption" and pushed for legislation that would require companies to build in a mechanism for law enforcement agencies to break in.

"We're in favor of strong encryption, robust encryption," then FBI Director
Louis J. Freeh said at a May 11, 1995, Senate hearing. "We just want to make sure we have a trap door and a key under some judge's authority where we can get there if somebody is planning a crime."

The cypherpunks looked for ways to undercut the government's case by pointing out the similarities between encryption software and other forms of protected speech. While under federal investigation for making his software available for download outside the U.S., to prove a point Zimmermann convinced MIT press to mirror his action in the analog world, by printing out the PGP source code, adding a binding, and shipping it to European bookstores.

"MIT was at that time like three times as old as NSA, and it's at least as large a player in the national security community," says the cryptographer Whitfield Diffie, who co-discovered the concept of public-key cryptography on which RSA is based. 'It's one thing to try to go and step on little Phil Zimmermann; it's quite another thing to go after MIT."

"The government knew if they went to court to suppress the publication of a book from a university that they would lose and they would lose in a hurry," Gilmore recalls.

"There were people who actually got encryption code tattooed on their bodies and then started asking, 'Can I go to a foreign country?,'" Gilmore says. "We printed up T-shirts that had encryption code on them and submitted them to the government office of munitions control…'Can we publish this T-shirt?' Ultimately, they never answered that query because they realized to say 'no' would be to invite a lawsuit they would lose and so the best answer was no answer at all."

In 1996, the Justice Department announced that it wouldn't pursue criminal charges against Phil Zimmermann and major legal victories came in two separate federal court decisions, which found that encryption is protected by the First Amendment.

"The crypto wars is still ongoing," says Gilmore. "What we won in the first rounds was the right to publish it and the right to put it in mass-market software, but what we didn't actually do is deploy it in mass-market software. Now there are major companies building serious encryption into their products, and we're getting a lot of pushback from the government about this."

In the early 90s, at the same time that Gilmore was fighting his legal battle for freedom of speech in software, the cypherpunks were exploring cryptography's potential in the context of collapsing political borders and the rise of liberal democracy. Part four in Reason's series, "Cypherpunks Write Code," will look at how those dreams turned to disillusionment, and the rebirth of the cypherpunk movement after the invention of bitcoin.

Written, shot, edited, narrated, and graphics by Jim Epstein; opening and closing graphics and Mark S. Miller/RSA graphics by Lex Villena; audio production by Ian Keyser; archival research by Regan Taylor; feature image by Lex Villena.

Music: "Crossing the Threshold—Ghostpocalypse" and "Darkest Child" by Kevin MacLeod is licensed under a Creative Commons Attribution license;  "High Flight" by Michele Nobler licensed from Artlist; "modum" by Kai Engel used under Creative Commons.

Photos: Photo 44356598 © Konstantin Kamenetskiy—Dreamstime.com; Photo 55458936 © Jelena  Ivanovic—Dreamstime.com; Photo 21952682 © Martin Haas—Dreamstime.com; Photo 143489196 © Chalermpon Poungpeth—Dreamstime.com; ID 118842101 © Andrey Golubtsov | Dreamstime.com; Freeh and Clinton, Mark Reinstein/ZUMA Press/Newscom; Freeh and Clinton, Ron Sachs—CNP/Newscom; WhatsApp Founders, Peter DaSilva/Polaris/Newscom; Bill Barr and Trump: CNP/AdMedia/Newscom; MIT, DEWITT/SIPA/Newscom; John Gilmore photos by Quinn Norton, Attribution-NonCommercial-ShareAlike 2.0 Generic; Bill Clinton in Oval Office, Robert McNeely/SIPA/Newscom; Bill Clinton, White House/SIPA/Newscom; Louis J. Freeh and Bill Clinton, Ron Sachs—CNP/Newscom; James Comey, KEVIN DIETSCH/UPI/Newscom; Bobby Inmann, Dennis Brack / DanitaDelimont.com "Danita Delimont Photography"/Newscom; John Gilmore, Paul Kitagaki Jr./ZUMA Press/Newscom; Berlin Wall, Associated Press.