In June 1991, Phil Zimmerman’s Pretty Good Privacy (PGP) public key cryptography software was posted to the Internet. PGP almost immediately became the standard cryptographic system used on the Internet. The U.S. government claimed that posting the software to the Internet violated the ban on exporting cryptographic technology and launched an investigation of Zimmerman and his software.
In January 1996, after an extensive four-and-a-half year investigation, federal prosecutors informed Zimmerman’s lawyers that the investigation was closed—no charges would be filed.
In early March 1996, bills were introduced in both the House and Senate that would loosen the rules that govern the use and export of cryptographic technology. Sponsored in the Senate by Patrick Leahy (D-Vermont), the legislation would have let businesses and individuals use any kind of encryption system they choose instead of the easily-cracked systems currently mandated by the federal government. A surprise supporting witness of the bill was FBI Director Louis Freeh. Freeh acknowledged that American businesses are put at a disadvantage by the current restrictions and are vulnerable to industrial espionage. Freeh’s support was probably a direct result of Leahy’s inclusion of support for government key escrow within his bill.
Two months later, in May 1996, competing legislation was introduced in the Senate by Conrad Burns (R-Montana) called the Promotion of Commerce Online in the Digital Era Act. The competing legislation would not only encourage the use of cryptographic technology (like PGP) but would prohibit the implementation of a mandatory key escrow or recovery system. Burns’ proposal called for the promotion of electronic commerce, competitiveness among American software companies, the protection of intellectual property, and privacy. Leahy agreed to endorse the Burns bill, including the provision that would specifically prevent the creation of a government key escrow system.
Shortly thereafter, the U.S. State Department distributed a warning to several domestic companies producing software designed to make PGP easier to use.These domestic products make PGP easier to use but they do not contain cryptographic technology in themselves. The companies were warned not to export their software products even though the products contained no cryptographic elements. Companies ignoring the warning, according to the State Department, could be prosecuted under the federal arms export restrictions.
Specifically, Sunnyvale, California-based Network TeleSystems was warned by the State Department not to export an email program the company was developing because it contained PGP “hooks” that make it easier to send and receive encrypted email messages. At the same time, San Diego-based Qualcomm, Inc. received State Department export approval for its Eudora 3.0 email product that also has hooks for external programs. The difference? Eudora’s hooks are not PGP-specific.
In a situation similar to Phil Zimmerman’s, University of Illinois-Chicago research professor Daniel Bernstein fought long and hard against the United States government for his right to post his cryptography research to the Internet. On December 6, 1996, U.S. Northern California District Court Judge Marilyn Hall Patel ruled that the government’s restriction of Bernstein’s distribution of his research on the Internet was unconstitutional. Judge Patel found that the U.S. State Department exercised prior restraint on Bernstein’s speech when, in 1992, it labeled his cryptography research a “munition” under export law and required Bernstein to obtain an export license.
While Judge Patel’s ruling protects computer software source code as a form of speech, commercial cryptography programs are still considered to be a munition and subject to the State Department’s export license requirement. Computer software source code is considered a form of speech, but computer software object code (the actual software program that you run on your computer) is not. This is roughly analogous to allowing the use of the alphabet, but prohibiting the speech produced by using the alphabet.
In early December 1997, PGP, the company Phil Zimmerman formed to sell commercial versions of his widely used cryptography software, was sold to Network Associates, Inc. for US$35 million. At first blush, one would have to cheer Phil Zimmerman’s fortune: for years he was harassed by various agencies of the U.S. government and never knew from one day to the next whether he would face criminal charges. On closer examination, however, the acquisition is problematic for users of the popular cryptography program. Phil Zimmerman actively campaigned against any sort of key escrow or key recovery system proposed by the government and testified before Congress that key recovery would “strengthen the hand of a police state.”
Network Associates, on the other hand, has actively promoted nearly any incarnation of key escrow and key recovery. Network Associates is a member of the Key Recovery Alliance, a trade association with about sixty corporate members that lobbies for mandatory key escrow and key recovery systems that would allow businesses to recover the cryptographic keys of employees used to make information private. Zimmerman carries the title of “fellow” at Network Associates, but as of this writing it is too soon to tell what responsibilities he will have at the company.
Some high technology companies, such as Network Associates, support key recovery because it would allow them to export products that contain elements of strong cryptography that are currently forbidden. The Commerce Department prohibits the export of products that contain strong cryptography unless the manufacturer promises to develop key recovery features.
Within months of the PGP acquisition, Network Associates had resigned its membership in the Key Recovery Alliance, under pressure from Zimmerman and other PGP principals. In an apparent contradiction to Phil Zimmerman’s philosophy, the most recent version of PGP for Business Security—release 5.5.5 as of this writing—includes an option that allows employers to retain a “master” key that can be used to access any employee’s encrypted materials. PGP for Business Security ships with its key recovery option disabled by default. Some corporate users support the option for key recovery because it would allow them to recover encrypted information when an employee leaves the organization.
At a cryptography conference in February 1998, Zimmerman defended the inclusion of the key recovery option in the PGP software:
“Right now, a subpoena can be used to get at a recipient’s key, and there are a variety of ways to get the plaintext content of a message. In the grand scheme of things, I think our solution doesn’t affect the outcome of any investigation.”
Two months after Network Associates resigned its membership in the Key Recovery Alliance, the company acquired Trusted Information Systems for more than US$300 million and announced that it would probably rejoin the Key Recovery Alliance. Trusted Information Systems makes RecoverKey, a software product that allows corporations to escrow the private keys of employees. Trusted Information Systems has major consulting engagements with U.S. government agencies, especially in the intelligence sector and specifically with the National Security Agency.
Some privacy advocates view this turn of events as indicative of Phil Zimmerman’s reduced status and level of responsibility within the Network Associates corporate hierarchy, although Zimmerman staunchly continues to defend Network Associates and the “master” key functionality of his PGP software.
In late February 1998, Network Associates announced that it would integrate RecoverKey, the Trusted Information Systems key recovery system, into its corporate security products, including PGP for Business Security. Network Associates said it would not, however, use the RecoverKey or any other key recovery technology in its PGP for Personal Privacy product targeted for use by individuals.
(For information about using the PGP software, see “Using Pretty Good Privacy” on page 276.)
0 responses. Comments closed for this article.