The Story of PGP

[Editor's note: This article is reprinted here for background on the legal battles surrounding PGP. Since it was written, PGP's author won and export controls on cryptographic software have been lifted.]

[Written on March 2, 1995, this appeared in the April 1995 editions of MicroTimes, with total circulation exceeding 230,000 in California.]

(c)1995 Jim Warren. Permission herewith granted to redistribute-in-full for any nonprofit use.

I write this today, March 2nd, because I envision the possibility of somehow being enjoined from speaking or writing about this, by a federal grand jury in San Jose, next Tuesday.

Subpoena follows op-ed

On Wednesday, February 22nd, an op-ed piece that I wrote appeared in the San Jose Mercury News, captioned, "Encryption could stop computer crackers." In the wake of massive Internet break-ins, I urged adopting nationwide, standardized, by-default, end-to-end data-communications and file encryption using the most-secure scrambling technologies that are publicly known and published worldwide. I criticized the FBI and NSA (National Security Agency) for zealously -- and successfully -- opposing all such protection, thus seriously endangering innocent citizens and law-abiding businesses.

On February 26th, a similar op-ed of mine appeared in the Sunday edition of the combined San Francisco Examiner and San Francisco Chronicle, emphasizing the unnecessary danger and billions of dollars of losses resulting from the government's preoccupation with protecting and greatly-enhancing its eavesdropping capabilities.

Three days later, two U.S. Customs Special Agents appeared at my home, unannounced, and soon handed me a federal grand jury subpoena. I am, "commanded to appear and testify before the Grand Jury of the United States District Court," on March 7th.

The subpoena was dated February 27th -- the first workday after the Sunday Examiner's op-ed piece.

Whoever said government is inefficient?

Interview recording prohibited

The agents -- two pleasant, businesslike young women -- said they were here about Phil Zimmermann and his encryption software known as PGP, "Pretty Good Privacy."

I laughed and said, "Oh -- okay, come on in," and led them up to my office, grabbing a tape-recorder along the way.

I sat down and -- prominently turning on the recorder -- said, without being confrontational, that I'd like to record the interview.

Woppps! -- flag on the play. They said they would want to take a copy of the tape with them when they left. That was fine with me, so I turned off my recorder and went for a second recorder from my car.

Drat! -- I wish I'd left the recorder running, because when I returned, they had decided they needed approval from Assistant U.S. Attorney Bill Keane, the AUSA in charge of investigating Zimmermann and PGP.

They called Keane. He was out. They left a message, then said that -- in the absence of his approval -- they would have to forego the interview, and made motions to leave. I was curious about what they wanted, and it occurred to me that I probably couldn't record my testimony before the grand jury, anyway. So after some discussion, we agreed not to record. In the process, they offered to allow me to copy their interview notes -- which I thought was a rather-neat show of good faith.

However, before we began, the senior agent looked at me with a moment of clear hesitancy and suspicion, and asked several times that I verify that our conversation was not being recorded. I did, pointing out that it would be a criminal misdemeanor -- in California -- if I recorded them in this private place without their knowledge.

Part-way through the interview, Keane returned his agent's call. I asked if he would say why we couldn't record the interview, with both of us having a tape. He said only that he didn't wish to have it done.

Apparently we citizens aren't the only ones who are paranoid.

Realworld Big Brother

The interview was relaxed, candid and cordial. The agents said they were just seeking the facts of what actually happened -- to wit:

On April 10, 1991, shortly after the Gulf War, a message from WHMurray@DOCKMASTER.NCSC.MIL cascaded across the computer nets, warning about one sentence in buried in a massive "anti-terrorism" bill authored by Senators Biden and DeConcini. Their Senate Bill 266 declared, "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."

Bill Murray, then a computer-security consultant to the NSA, wrote:

The referenced language requires that manufacturers build trap-doors into all cryptographic equipment and that providers of confidential channels reserve to themselves, their agents, and assigns the ability to read all traffic.

Are there readers of this list that believe that it is possible for manufacturers of crypto gear to include such a mechanism and also to reserve its use to those "appropriately authorized by law" to employ it?

Are there readers of this list who believe that providers of electronic communications services can reserve to themselves the ability to read all the traffic and still keep the traffic 'confidential' in any meaningful sense?

Is there anybody out there who would buy crypto gear or confidential services from vendors who were subject to such a law?

David Kahn asserts that the sovereign always attempts to reserve the use of cryptography to himself. Nonetheless, if this language were to be enacted into law, it would represent a major departure. An earlier Senate went to great pains to assure itself that there were no trapdoors in the DES [federally-adopted Data Encryption Standard]. Mr. Biden and Mr. DeConcini want to mandate them.

The historical justification of such reservation has been "national security;" just when that justification begins to wane, Mr. Biden wants to use "law enforcement." Both justifications rest upon appeals to fear.

In the United States the people, not the Congress, are sovereign; it should not be illegal for the people to have access to communications that the government cannot read. We should be free from unreasonable search and seizure; we should be free from self-incrimination.

The government already has powerful tools of investigation at its disposal; it has demonstrated precious little restraint in their use.

Any assertion that all use of any such trap-doors would be only "when appropriately authorized by law" is absurd on its face. It is not humanly possible to construct a mechanism that could meet that requirement; any such mechanism would be subject to abuse.

I suggest that you begin to stock up on crypto gear while you can still get it.

The net went ballistic over this Orwellian mandate.

PGP - Pretty Good Privacy

Prior to this, Phil Zimmermann, a sometime cryptographer and small computer consultant near the University of Colorado in Boulder, Colorado, had been developing a PC implementation of public-key encryption, as described in the open literature, published worldwide more than a decade earlier. He had idle thoughts of possibly making it available as shareware, perhaps for educational purposes for fellow crypto hobbyists. He called it, "PGP" -- Pretty Good Privacy.

But public-key crypto using any reasonably-robust key-sizes is reputed to be uncrackable. And intentionally building a back-door into a beautiful crypto implementation is about like welding a tractor tire on the back of a classic '63 Corvette -- obscene!

Kelly Goen, located in the San Francisco Bay area, was also interested in crypto. He and Zimmermann became acquainted -- as is common among technoids with similar interests. In that context, Zimmermann apparently gave Goen a copy of PGP -- also common behavior among us propeller-heads.

S. 266 goads guerrilla crypto

When Murray's message flashed across the nets, thousands of us were infuriated -- and frightened. In the wake of the Gulf War, S. 266 seemed likely to become law, permanently prohibiting Americans from having the privacy protection that technology could easily provide.

S. 266 would also prohibit PGP -- at least in any respectable form.

So -- with more than a little of the spirit of freedom that is the heritage of all Americans -- and to help citizens "stock up on crypto gear while you still can," it was decided to make this privacy protection tool available to everyone, immediately. Goen would upload copies -- fully annotated sources, binaries and documentation -- to as many BBSs (bulletin board systems) and host-computers around the United States as possible. Zimmermann agreed -- especially since S. 266 would soon outlaw PGP.

A night-time call

Goen sent email to MicroTimes on May 24th, saying, "the intent here is to invalidate the so-called trap-door provision of the new senate bill coming down the pike before it has a possibility of making it into law." He said we could publish details about it, "provided of course mum is the word until the code is actually flooded to the networks at large."

He also called me -- as a MicroTimes columnist, and probably because I had organized the recently-completed First Conference on Computers, Freedom & Privacy, or maybe because of my comments on the net critical of the S. 266 mandate.

I had several conversations with Goen, and later with Zimmermann -- who seemed more passive about the project. Now, four years after the fact, this is re-constructed from random notes I took at the time, plus my recollections -- some of which remain quite vivid.

D-Day, defending freedom

On a weekend around the first of June, Goen began uploading complete PGP to systems around the U.S. He called several times, telling me his progress.

He was driving around the Bay Area with a laptop, acoustic coupler and a cellular phone. He would stop at a pay-phone; upload a number of copies for a few minutes, then disconnect and rush off to another phone miles away.

He said he wanted to get as many copies scattered as widely as possible around the nation before the government could get an injunction and stop him.

I thought he was being rather paranoid. In light of the following, perhaps he was just being realistic.

Government counter-attacks

About two years after the PGP uploads, the government began threatening to prosecute Zimmermann for illegal trafficking in munitions -- cryptography. [He was first visited by U.S. Customs agents on Feb. 17, 1993.] For more than two years, they have been investigating whether he "exported" PGP. It appears at press-time that they will probably prosecute him.

The allegation seems to be that, since he permitted someone else -- over whom he had no control anyway -- to upload PGP to some Internet hosts inside the United States, Zimmermann thus exported this controlled munition!

This ignores the fact that most of those same Internet hosts also have DES crypto software from AT&T, Sun, SCO and BSD, part of their standard domestic Unix systems. The DES is under the same export prohibition as PGP. The same is true for RSA's public-key crypto tools that reside on thousands of Internet hosts around the nation.

This bizarre lunacy also ignores that public-key was published, worldwide, fifteen years ago, and is available from numerous foreign software competitors including entrepreneurs in former Easter Bloc countries -- as is the DES.

Based on what they told me at the time and everything I've learned since then:

Zimmermann never even uploaded PGP files for public access.

Goen studiously limited his uploads to U.S. systems, as permitted by law and routinely done with identically-regulated AT&T and RSA software.

They certainly didn't care about exporting PGP. Hell, most of the rest of the world already purchases public-key products from numerous vendors except U.S. companies.

They did want to pre-empt S. 266 before it became law -- just as millions of people do all the time regarding all sorts of pending legislation. And the offending mandate was later deleted from S. 266, anyway.

Zimmermann and Goen wanted to protect this nation's citizens. S. 266 wasn't threatening other nation's citizens; it was threatening Americans!

Why the persecution?

Some apologists say the government is just trying to clarify the law. Bull!

If that's what they want, they should investigate and prosecute AT&T or Sun or SCO or RSA. Each makes millions peddling systems to U.S. Internet host-owners that include identically-controlled crypto modules, particularly including RSA public-key packages that are at-least as powerful as PGP.

But thugs don't pick on targets that can defend themselves. Goons go for the frail and weak and helpless -- like Phil Zimmermann.

Maybe this is a rogue prosecutor trying to make a name for himself. But apparently Keane can't seek a grand jury indictment for this "crime" without clearance from the Department of Justice in Washington.

Maybe it's just our government wasting thousands of staff hours and millions of dollars to publicly flog Zimmermann as a lesson to any other pissant citizen who dares to do what AT&T, Sun and RSA can do with impunity.

This appears to be nothing less than an arrogant, oppressive government using all of its might and all of its power to flail and torture one poor citizen, to teach him that he is dirt and intimidate everyone else.

Is this what our nation has become? Is this the America we want?

Coincidental subpoena?

As a footnote, I must say that my initial assumption was that the agents' arrival two days after my op-ed piece appeared was simply coincidental -- that they were just-now getting around to tying-up loose ends of this wasteful multi-year investigation. They said they were responding to a letter I had sent to the grand jury a year or two earlier, when I first heard they were investigating Zimmermann.

As I write this, and try to maintain some slight semblance of reason, about half the time I think the timing was accidental -- and half the time I think I'm being naive.

A frightening experience

But I gotta tell ya, I awakened hours before dawn this morning, wondering if somehow I was going to be the next victim of this governmental obscenity. The government's stated policy is to attack opponents with overpowering force. They are certainly doing that to Zimmermann.

I feel threatened and intimidated -- and furious and outraged that it should be happening in my nation, prosecuted by my government.

I cry for what Phil Zimmermann must be going through. He had little financial resources to begin with; this has already cost him, dearly. For almost two years, he has been under the horrifying threat of wasting all of his assets including his home, just to defend himself against the outrageous abuse of a federal government that will go to any expense to "win."

And if Zimmermann loses, he goes to prison for years of mandatory incarceration. When he comes out, his young daughter will be a teen-ager. All because he dared to write a cryptographic program that the government couldn't crack, that someone else made available to U.S. citizens.

If there is any justice remaining in this nation, this screams out for immediate redress!

Folks who care can send much-needed donations to the Zimmermann legal defense fund in care of his attorney, Phil DuBois, 2305 Broadway, Boulder CO 80304; 303-444-3885;

[Editor's note: Since the above was written, Zimmermann won his legal battles, so the contact information above is no longer valid.]