[ale] Phil Zimmermann Speaks in Atlanta!

[Charles Shapiro]

Phil Zimmermann is a hero. For six years, from 1990 until 1996, he
fought the Good Fight against the government, risking his personal
freedom so that the rest of us could enjoy privacy in the
love letters, business deals, and filthy humor we store and transmit
on computers.  Zimmermann is the originator of PGP, the freeware
encryption program which gives anyone with a PC the ability to encrypt
a message or a file so well that even the most powerful supercomputer
cannot read it without the key in less than a decade. PGP uses
public-key encryption, a scheme which separates the encryption and
decryption keys to a message.  This means that you can publish your
decryption key and send messages which people will know must be from
you alone. Publish an encryption key, and anyone can send you a
message which only you can read.  A great piece of software, and a
great man. It is free and open. The source is published, and compiled
copies of the program are available for download. Zimmermann
recommends "http://www.pgpi.org" as the place to go if you want your
copy of this software. They not only have versions for the
run-of-the-mill Microsoft and Apple systems, but also versions for
operating systems the rest of us use, such as Amiga, Atari, OS/2 and Linux.
You can even get an RPM of PGP to install on your red hat distribution.

So naturally, when Zimmermann came to Georgia Tech to speak, I had to
go see him. He's a very affable guy.  My friend and I found him
waiting around in the lobby for the talk to begin.  His beard is beginning
to
turn grey, and he carries a bit of a paunch.  He was willing to sign
the chunk of sheet metal I brought for the purpose (the outside of my
first linux box).  And he was kind enough to chat a little
afterwards. I learned that, like all of us, he's worried about
slowing down as he ages. And he approves of the American involvement
in Kosovo.

When we got into the lecture hall, Zimmermann began his talk by asking
"How many people here have used PGP?" Almost everyone there raised
their hands. He then answered what he said was the most frequently
asked question about PGP: "No, we have not put any back-doors into
PGP. It never had them, and it never will as long as I have anything
to do with it.". This was a recurrant theme throughout his somewhat
discursive talk.

PGP may be the most common strong encryption system on the
planet. It has fulfilled one of Zimmermann's stated goals in writing
it: the advancement of human rights. The American Association for the
Advancement of Science uses it in human rights work, and trains activists
all over the world in its use. As I write this, dissidents in Kosovo
are using PGP to communicate with colleagues across the borders.

Zimmermann started to write PGP in late 1990, hoping to sell it as a
commercial product. He was working then as a programmer of embedded
systems, but he had a strong interest in cryptography.  "I wanted to
write encryption software, but I could not get anyone to pay me for
it", he says. It took him six months to finish PGP, much longer than
he thought it would. "Engineers are always pathologically optimistic."

Halfway through his project, the Senate passed bill 266, which
contained a resolution saying that all communications hardware should
have a back door for government access. "I could see the writing on
the wall at that point -- I thought it would not be long before my
product was illegal. So I decided to make it freeware. When I was
finished, I emailed it to someone who volunteered to publish it on the
internet, and it spread all over the world."

Some time later, Zimmermann got a phone call at home from the Customs
department. They asked some questions about PGP, which Phil, "as an
American who wanted to help out the police", answered as best he
could. He thought that perhaps they had run into it in the course of
another investigation, so he happily told them a little about what
they were up against -- and that he personally had no way to decrypt a
PGP-encrypted message. But then the lady on the telephone said "Well,
we'd like to fly out and talk to you about this." The customs office
was in San Jose, California, and Zimmermann was living in Boulder at
the time. And they had said 'we', which implied that they'd send more
than one person.

Zimmermann then contacted a criminal defense lawyer and asked to use
his office for the interview.  It turned out that Customs was mainly
interested in whether PGP was stolen property, which it was not. It
had been written from scratch except for the mathematics, which was
widely available in textbooks. Zimmermann later learned that RSA
Incorporated had first contacted Customs, on the assumption that
Zimmermann had stolen something from them. Later versions of PGP use
the El Gamal encryption algorithm, which is firmly in the public
domain, for this reason. "I thought that attempted incarceration was a
bit over the top for business competition". Zimmermann says "There's
still a patent on the RSA algorithm. It expires on September 20,
2000. So they have their own Y2K problem. I would sell the stock short
before then."

The US government continued to try to get Zimmermann, on grounds that
PGP was an illegally exported munition, among other things. Finally,
in January of 1996, they threw in the towel. The Justice Department
figured that "there were evidentiary problems, there were first
amendment problems, and the press was unrelentingly critical of the
government in an election year."

Zimmermann promptly formed a company called "PGP Incorporated" -- easy
to do, since the venture capitalists "were practically throwing money
at me". Eventually, Zimmermann sold the company to Network Associates,
a computer security firm which sells anti-virus software and the
like. He now works for NA as a "loose cannon". His official title is
"Senior Fellow". He says the main advantage of this is that he has "no
deliverables".

Zimmermann says that his "background is politically progressive left",
which puts him at a considerable remove from my views as a proudly
raving Libertarian. He realizes the amusing mutability of being a hero
though. As he said "people project their own values on me. When I
speak to conservative republicans, they assume that I am a
conservative republican, when I speak to libertarians they think I am
one of them. It is as if I cannot be a hero to them unless I am like
them." He attributes this phenomenon to the wide appeal of privacy as
an issue. It really does cut across political lines. Nobody wants the
government snooping on them.

The question and answer period offered a few interesting
nuggets. Zimmermann still has some of the old-fashioned fears about
computers which Orwell wrote about in "1984" -- that they will enable
the state to track us all. As he says, "The human population is not
doubling every 18 months, yet Moore's Law says that processing power
is. How long will it be until machines can read every face on the
planet?" Well over half the population of the earth has yet to make
the first phone call in their lives, so perhaps his fears are
overblown.

He also had an amusing story about how PGP is now published. The
export laws have a hole in them for bound books, so PGP's source is
published as a book and then shipped to Europe, where interested
parties can run it through a scanner to get the working source. When
Zimmermann published the first book, "we completely misunderstood the
problem". It took about a thousand man-hours to convert the first book
into useable code from scanner output.  What Zimmermann and his
cohorts found out was that scanning software has actually regressed in
the last five or ten years. Most of this software now uses a spelling
dictionary to resolve ambiguities. This is great if your book is in
English or French, but not so good if it's in C. There are other
little gotchas as well -- for example, one scanner program would
assume that "*/" (the token which delimits the end of a comment in C)
was just a blot on the glass, and simply not put that in the scanned
output.  The new books are printed in a special OCR font, and they
contain a checksum for every line. Zimmermann's team has also written
new software which will automatically proof scanner output for common
errors, using a probabilistic algorithm to fix them as necessary.
With this new technology, the time needed to go from a printed book to
useable source has been cut down to 30 man-hours or so.

Zimmermann realizes that the battle for free encryption is not yet
won. But victory is near. As he says "The government efforts to
control cryptography are a kind of rotting door that is just waiting
to be kicked in." In France, it was once illegal to use PGP, but the
French government has now decided to let people send and receive
encrypted messages without interference. The United Kingdom is
"reviewing" their policies. So, Zimmermann says, the United States
cannot be far behind.  I hope he is right.

In addition to this article, I have about 300 lines of notes on Phil's
talk. I will be glad to email them out to anyone interested. They include
much which I simply could not pack into this article, such as some good
quotes
about some of the "controversial features" Zimmermann helped put into the
corporate version of PGP, and his plans for an encrypted telephone set which
would work through your PC.

Charles Shapiro
cshapiro at harbinger.com                            72300.3632 at compuserve.com
Funny saying + 22-line ASCII art masterpiece here.