Thursday April 28, 1994
By William M. Bulkeley Staff Reporter of The Wall Street Journal
BOULDER, Colo. - During the battle between Boris Yeltsin and the Russian Parliment last October, with Russian freedom hanging in the balance, software author Philip Zimmermann received an electronic-mail message from Latvia. "If dictatorship takes over Russia," it read, "your PGP is widespread from Baltic to Far East now and will help democratic people if necessary. Thanks."
PGP - for Pretty Good Privacy - is a program written by Mr. Zimmermann for scrambling computer messages. Dissidents around the world use it to protect their electronic communications from the prying eyes of secret police.
But PGP has a darker side. In Sacramento, Calif., police lament that last year, PGP encryption blocked them from reading the computer diary of a convicted pedophile and finding critical links in a suspected child-pornography ring.
Admired by freedom lovers and criminals alike, PGP is one thing: uncrackable, or as close to it as a secret code has ever been. Even U.S. government snoopers can't break it. And that places Mr. Zimmermann - a paunchy, bearded, 40-year-old computer consultant who is fast becoming a folk hero on the information highway - in peril.
A federal grand jury in San Jose, Calif., is examining weather he broke laws against exporting encryption codes. The Federal Bureau of Investigation suspects that Mr. Zimmermann had a role in putting PGP on the Internet, the world-wide web of computer networks, making it easy for foreign governments and terrrorists to use it and render their computer traffic impervious to U.S. spying.
Mr. Zimmermann's lawyer says his client could face charges carrying a prison term of up to 51 months.
The world-wide use of Mr. Zimmermann's software has altered forever notions of government surveillance, electronic privacy and export bans on cryptography. Until recently, difficult codes could always be deciphered by stealing the key that unraveled the encryption puzzle. During World War II, for example, the Allies captured a German encrypting Enigma machine, allowing them to crack Nazi communications. U.S. convoys taking munitions to Britain used it to help them elude German U-boats.
In an age when computers can whip up codes of devilish complexity and zip them around the globe for anyone with a personal computer, the lot of the encryption policeman is not a happy one. The internet alone reaches 20 million people.
"The genie is out of the bottle," says Leonard Mikus, president of ViaCrypt, a Phoenix company that sells a $100 version of PGP in the U.S. "There's no way anybody can stop the technology."
Mr. Zimmermann, a twice-arrested anti-nuclear-war activist, became an electronic freedom-fighter in 1990. At that time, the FBI and the NSA were pushing for a law that would ban certain forms of encryption, and force computer makers to build into their machines hardware that would allow law-enforcement agencies to decipher any code that was used. The proposal outraged confidentiality-minded corporations and computer users alike. Eventually, it was dropped.
But while the issue was still open, Mr. Zimmermann took it upon himself to thwart the government's purpose by working on what came to be PGP - an impenetrable code that could be used by virtually anyone. "I did it to inoculate the body politic" from the danger of government prying, he says.
Mr. Zimmermann stopped consulting and holed up in the computer-filled workroom in the back of a bungalow in Boulder, where he lives with his wife and two children. He said he spent six months of 12-hour days writing the program, drained his family's savings and missed five months of mortgage payments. He finished the program in June 1991, and named it Pretty Good Privacy - in deference to Ralph's Pretty Good Grocery in humorist Garrison Keillor's Prairie Home Companion radio show.
When Mr. Zimmermann was through, he gave the encryption program to friends. One of them, whom he won't identify, placed it on the Internet, sometime around June or July 1991, he says. Once there, any computer user in the world with access to the Internet could download it. Almost immediately, many did.
But federal laws covering munitions prohibit exporting encryption software without a license. A year ago, U.S. Customs Service agents asked Mr. Zimmermann how his software went overseas. In September the U.S. Attorney's office in San Jose, which has expertise on computer crimes because of its proximity to Silicon Valley, told Mr. Zimmermann that he was a target of an investigation. Mr. Zimmermann says he neither sent PGP overseas, nor posted it on computer systems.
RSA Data Security Inc. is also angry at Mr. Zimmermann. The computer-security firm says that in creating PGP, Mr. Zimmermann used one of its patented cryptographic algorithms without permission, after RSA had denied him a free license.
"We sometimes joke that PGP stands for `Pretty Good Piracy,' " says James Bidzos, president of the Redwood City, Calif., firm. "What he did was simple. In this business, you simply don't rip off people's intellectual property." RSA, which sells its technology to most of the major sofware makers and makes an encryption program called MailSafe, hasn't sued Mr. Zimmermann. But it has asserted its legal rights in letters to anyone it catches using PGP. As a result, few companies use PGP and many universities and commercial on-line services keep it off their computers.
Mr. Zimmermann says that technically he hasn't violated RSA patents because he didn't sell the software until he signed the deal with ViaCrypt, which does have a license to use the algorithm. He notes that the on-line documentation for PGP suggests that people who use the program should contact RSA about a license.
For many individuals, PGP has become something of a standard for encrypted e-mail on the Internet. A Glendale, Calif., college student who goes by the name Monk on the Internet says, "It's free; it's solid; it promotes privacy. How can you argue with it?" While the NSA wants to keep control of encryption, "This teeny little company with a wonderful hero has changed that," says Thomas Lipscomb, president of InfoSafe Corp., a New York developer of security devices for CD-ROM publishers.
Fear that hackers may intercept e-mail has spawned a grass-roots cult of PGP users in the Internet community. Craig McKie, a sociology professor at Carleton University in Ottawa, encrypts chapters of a new book with PGP as he sends them to his publisher, fearing that otherwise, "a gazillion copies would go flying off into the night." Lance Cottrell, an astronomer at the University of California, San Diego, says he uses PGP to share unpublished observations with collaborators to keep others from claim-jumping a discovery.
PGP also helps make the otherwise leaky internet safe for commerce. Members of the Electronic Frontier Foundation, a group that advocates electronic free speech, can pay dues by sending PGP-encrypted credit-card numbers over computer networks. S. Soloway Inc., a Palo Alto, Calif., accounting firm, scrambles backup tapes with PGP, so that clients needn't worry about lost confidentiality if the tapes are lost or stolen. Kenneth Bass, a Washington lawyer, communicates with some clients and other attorneys in PGP code.
For human-rights advocates, the consequences of compromised sources can be devastating. Daniel Salcedo, who works for the Human Rights Project of the American Association for the Advancement of Science in Washington, teaches activists in El Salvador and Guatemala to use PGP. "In this business, lots of people have been killed," Mr. Salcedo says.
Alan Dawson, a writer living in Thailand, says rebels opposing the regime in neighboring Burma are using PGP to encrypt information sent among rebel groups. Before use of PGP became widespread, Mr. Dawson wrote Mr. Zimmermann, "captured documents have resulted directly in arrests, including whole families and their torture and death."
But investigators say PGP and other encryption systems aid crime. William Spernow, a computer-crime specialist with Search Group, a federally funded police-training firm in Sacramento, Calif., predicts criminals will routinely encrypt information within two years. "This could signal the end of computer forensics before it even gets off the ground," he says.
Mr. Bidzos of RSA says that he has had several calls from police in the Miami area asking for help in decrypting information on computers seized in drug raids. He says the encryption is unbreakable. Mr. Spernow studied one case where a criminal conducted a fraud by keeping a double set of books - the real set encrypted in PGP.
Mr. Zimmermann says he is disturbed by criminal use of encryption, but thinks the benefit of providing electronic privacy to everyone outweighs the costs. "It is impossible to obtain real privacy in the information age without good cryptography," he says.
Encryption also raises some eyebrows inside corporations. Mr. Bass, the Washington lawyer, notes that most companies assert the right to read employees' e-mail, since it is composed on their computers and travels their networks. "What will they do when people start encrypting messages to each other?" he asks.
Without e-mail encryption, widespread surveillance would be easier. In theory, CIA, FBI and police computers could tap telephone cables and look for key words such as "missile" or "bomb" to find people who needed closer watching. Mr. Zimmermann says: "This is analogous to drift-net fishing."
Computerized encryption "is a technology that for a change benefits our civil liberties," he adds. "The government law-enforcement agencies have benefited from many technologies," such as telephones that made wire- tapping undetectable. In fact, Mr. Zimmermann is currently seeking funding for a project to create a phone that uses a personal computer equipped with a microphone and a speaker, to encrypt voice conversations just as PGP encrypts data exchanges.
Mr. Zimmermann has been suspicious of the government for a long time. After growing up in Boca Raton, Fla., where a children's book on secret writing first interested him in codes, he moved to Boulder in 1978 and worked as a computer engineer. After he was laid off by Storage Technology Corp. in 1985, along with 3,000 others, he became a consultant specializing in telecommunications and data security.
In the 1980s he became worried about the nuclear-arms race. He and his wife investigated moving to New Zealand. But they stayed in Boulder, an antiwar hotbed, where he lectured on arms policy.
Mr. Zimmermann says that he has not been active on the internet and adds, "I'm not a cipherpunk - I wear a suit when I visit clients." But he says he agrees with the electronic free-speech ideals of the cipherpunks, the Internet habitues who fill cyberspace with blistering criticisms about the U.S. government's proposal to promote use of the so-called "Clipper chip." The chip would let companies and individuals encrypt sensitive communications, but the government would hold a key making it possible - with court permission - to decipher them for law-enforcement or national-security purposes.
Mr. Zimmermann thinks the Clipper project confirms the need for PGP by showing the government's desire to read electronic mail. "They're treating us like an enemy foreign population," he says.