 | November 2001
PHIL ZIMMERMANN
There's nothing cryptic about his passion for privacy rights.
BY PETE LOSHIN
"It was a human rights project from the beginning."
"Though the issues of cryptography and privacy are closely related, I hope that I'm not typecast as only a cryptographer," says Phil Zimmermann, the creator of Pretty Good Privacy (PGP).
Zimmermann comes across as modest, soft-spoken and thoughtful--an unlikely hero. Yet since publishing the PGP source code on the Internet in 1991, he's faced down prosecutors who wanted to jail him, claiming that making PGP available overseas violated the Arms Export Control Act. He's testified to Congress about privacy issues and how human rights workers around the world have used his program.
Cryptography was "just a hobby" that Zimmermann became interested in at the age of 10 after he read Herbert S. Zim's "Codes and Secret Writing." Zimmermann decoded "secret" club members-only messages (a simple substitution cipher) from Miami Saturday afternoon monster movie TV host "M.T. Graves in the Dungeon." He impressed a classmate by accepting a challenge to decode a ciphertext composed in rune-like characters.
Rekindled Debate Over Encryption
After years of quiet dÈtente, the Sept. 11 terrorist attacks have put PGP and other encryption programs back on trial over whether encrypting data is a civil right or a tool for drug dealers, pornographers, money launderers and terrorists.
"World events should make us reexamine these issues," he cautions. Nonetheless, after considerable soul-searching, he came to the same conclusions after the terror attacks as he had before: Strong, unencumbered encryption is the right thing.
"PGP is effective for protecting people at risk, and it's not going to be effective to put backdoors in PGP in the hope that the bad guys will be stupid enough to use it then," he says. "And that's why I don't have any regrets about writing PGP."
Noting reports that terrorists may have used GPS receivers to help guide the hijacked airliners to their targets, Zimmermann asks, "Does that mean people shouldn't have access to GPS receivers?"
Trying to restrict crypto is just a distraction when so much information is available from other sources, he asserts, citing a backlog of untranslated Arabic documents compiled over the years by the FBI. "Perhaps you could think of Arabic as a form of cryptography."
Unwanted Attention
Zimmermann says he was confident that the first release of PGP domestically would be safe from legal restrictions, albeit not unnoticed.
"I knew it would attract the attention of the government, and they wouldn't like what I did." He certainly didn't think it would result in a criminal investigation.
Though unworried about PGP 1.0, Zimmermann knew that he very likely stepped over the line with PGP 2.0, released in September 1992. "I was quite worried," he said. "I felt sure I was going to prison because of that."
Zimmermann says his role in the development of PGP 2.0 was "more clearly violations of the Arms Export Control Act, which forbade technical assistance in the development of encryption software overseas."
At one point, Zimmermann thought about fleeing.
"I did consider whether or not staying in the U.S. was a good idea," he recalls. "But after a few minutes reflection on it--well, maybe more than a few minutes, but I thought it through carefully--it became clear to me that it would be much better to stay in the U.S. and fight the issue than to run."
PGP Inc. and Beyond
After the government dropped its three-year investigation in 1996, Zimmermann founded PGP Inc. Though personally most interested in making strong encryption accessible to everyone who needs it, Zimmermann knew his company had to cater to corporate needs "because that's how you get revenue and that's how you pay the engineers."
Before long, however, the company ran out of money, and PGP was acquired by Network Associates (www.nai.com) in 1997.
Even before the acquisition, Zimmermann had been deposed as PGP's chairman of the board. He later served as senior fellow at NAI and resigned in February, citing his disagreement with NAI's decision not to release the PGP source code.
The point behind publishing the source is to build a trusted encryption program. Trust may not be as important in a word processor or spreadsheet, Zimmermann explains, "but it's very important when you're making an encryption software product. PGP turned out to be something that was trusted by millions of people."
Though Zimmermann welcomes NAI's recent decision to publish PGP's SDK source code, he would still like to see all the source code published. "It's the only way you can get everybody to trust it."
Last month, NAI announced plans to sell PGP as part of a restructuring plan.
One of Zimmermann's new projects is the OpenPGP Consortium (www.openpgp.org), which facilitates
interoperability among OpenPGP implementations and guides
development of the OpenPGP standard. Zimmermann has also been
working
with Hush Communications (www.hush.com) on implementing OpenPGP in its HushMail product, and with Brussels startup Veridis (www.veridis.com) to develop other OpenPGP-compliant products.
Zimmermann remains resolute in his commitment to the protection of personal privacy. Check out the "Letters from human rights groups" page on Zimmermann's personal Web site (www.philzimmermann.com/letters.shtml), to read how rights workers in Guatemala protect themselves and others from death squads by encrypting sensitive data with PGP, and how rights workers in the Balkans and Central Europe have used PGP to keep communications secret.
"It's only once in a while that someone writes to me with that kind of stuff. The people who work in this area generally don't like to publicize how they're using PGP in these situations, because they have enemies that they don't want to announce this to."
Zimmermann worries about the erosion of civil rights in the aftermath of the Sept. 11 attacks. Some of Congress' anti-terrorism ideas that include encryption control seem to have little to do "specifically with things that detect and prevent acts of terrorism. It's more of a 'let's get our wish list for increasing the power of law enforcement at the expense of civil liberties.'"
"I'm glad to see the government do things specifically designed to detect and prevent acts of terrorism, but I don't want to see them do things that undermine our civil liberties without any obvious benefit for detecting or preventing terrorism," Zimmermann says. "I don't like to see our civil liberties undermined at all, but if we're going to do it, we should do it for something that has some payoff."
PETE LOSHIN (pete@loshin.com) is
senior editor-at-large for Information Security . He produces the Internet-Standard.com Web site and has authored more than 20 books on Internet protocols and security. | |
