Phil Zimmerman Vs the US Government over PGP

The research of techniques to have ensured communication while a third party is eavesdropping is what we call Cryptography or Crypto for short. It is basically, creating and studying processes that prevent other people from reading the confidential message that was sent. As we can see, it has a high potential to be used as a tool for espionage or to keep secrets against enemy governments for example. And its propagation was not very well supported by the US government and its facilities such as The National Security Agency/NSA and the FBI due to that very reason. But the scientific community thought very differently about the subject. If the government had full control over our way of communication, how would a normal citizen ever have rights to privacy and a private conversation? Before then, if someone was eavesdropping on a conversation that you were having with somebody, you would just have to move to another room, or get to the conversation later on. But with the creation of email and electronic communication, normal citizens had no idea whether they were getting spied on or not? And the government wants to keep it that way.

In the 70s and 80s when no one really knew or was efficient enough when it comes to cryptography, it was clear that it was the NSA/Government's domain. So, when a Stanford professor and his students made their own cryptographic discovery, the organizations tried their best to keep its propagation to a minimal, initiating what we call the crypto wars. The War on the propagation of information on cryptography and it's uses. The NSA tried stopping funding to crypto research, put secrecy order on crypto patents, threatened University staff and students with treason, tried restricting crypto research through a review process which failed miserably. Even though the 80s seemed pretty quiet, the war would soon resume in the 90s. These times are most renowned for Phil Zimmerman developing and releasing Pretty Good Privacy(PGP) software in 1991, an end to end encryption algorithm for email, files etc.; free for everyone to see and use on the internet. As expected, the government was not so happy with Zimmerman, so in this paper we will discuss who is Zimmerman? Why he made PGP and published it for free? And finally, the 3-year criminal investigation on Zimmerman over PDP's publication by the government and its results.

First of all, who is Philip Zimmerman? Philip Phil Zimmerman, one of the most renowned and influential people on the internet, the reason being he is the creator of Pretty Good Privacy, an end to end email encryption software package that provides cryptographic privacy, authentication and data communication. Before creating this software, Phil Zimmerman used to be a software engineer in Boulder Colorado and then was part of the nuclear Weapons Freeze Campaign which had the purpose of trying to stop the government to stop the nuclear arms race, as a speaker on military policy and that ignited his passion in human rights and the political side of cryptography. And so, Phil Zimmerman was a software engineer with at least around 20 years of experience in the field. His specialties were cryptography, data security, data communication and real time embedded systems. So, as we can see, Zimmerman is a pretty big figure for the scientific, human rights communities as well as the internet. And even though the government was always on every bodies tail when it came to cryptographic research and development because they didn't want it to be accessible by opposing countries or anyone but them in fact. So why did Phil Zimmerman go through all this trouble to make PGP?

Phil Zimmerman was and still is a Peace Activist since the 80's. He used to teach classes in military policy to try make lobbyist try and persuade Congress against the arms race, he was a very effective speaker on military policy. He also did Civil Disobedience, so he was in Jail with Carl Sagan and Daniel Elysburg, publisher of the Pentagon papers in the 1970's, he inspired him when they met. PGP was basically a human rights project from Zimmerman's point of view, it was in the context of that kind of activism. Before the publication of PGP in 1991, it was not possible for ordinary people to communicate over great distances without getting eavesdropped on by a third party in their communication channel. Although sovereign states could do it, due to them having so much resources they would send people with the encryption keys to the foreign embassies to keep their communication secure, but ordinary people couldn't achieve that before the free publication of PGP online in 1991. The first version wasn't that great, and so the second version came out around 15 months later with a better trust model, encryption algorithm, and it was more like what we see today. In the early 90's at that time, the cold war was ending and businesses whether big or small were getting globalized.

But business didn't have a great need for PGP when it first came out due to them mainly trying to protect themselves from other business and not the government, because the competing business didn't have relative cryptanalytic capabilities. So, it wasn't so important or needed for businesses to have any encryption algorithm stronger than 56-bit Data Encryption Standard DES, which is an encryption standard developed by IBM. And so, the PGP's threat model which was to protect Human Rights workers and political activists whose opponents were major governments, a different threat model than that of businesses trying to protect themselves from other businesses in 1991.But as the 90's unfolded, those same businesses would hire people in foreign countries for cheap labor. These cheap labor foreign countries had oppressive governments or were coming out of an era of oppression as the cold war was ending. So, as we can see, the threat model that PGP was based off started to appeal more to those business because of their cheap labor workers in the oppressed countries needing to communicate. That was one of the reasons Zimmerman wrote this software.

The Second reason was due to the Senate Bill 266 in 1991, specifically subtitle B in title 2 which states Electronic Communications - Expresses the sense of the Congress that providers of electronic communications services and manufacturers of electronic communications service equipment should ensure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law. What this means is that, if this had become a real law back then, it would have obliged all secure communications manufacturers to setup trap doors in all products. This would give the US government access to anyone's encrypted messages whenever they please when doing so. And that would have really destroyed all privacy and human rights when it came to electronic communication between ordinary people. That was the second reason why Zimmerman published PGP for free on the internet in 1991.

The third reason that Zimmerman created PGP was because other encryption algorithms were just too weak, or seemed good but were already cracked by someone. Zimmerman calls them Snake Oil and advised to beware of them. Zimmerman knew how easy it was to fall into a false sense of security when it came to writing a good and secure encryption algorithm, because it was really hard to write an encryption algorithm that can take on an ongoing attack by a resourceful opposition such as the government or anyone with expertise really. Many of these snake oil algorithms were getting sold to other organizations and governments, Zimmerman knew that was a huge problem. Anyone with these weak algorithms could unconsciously place important data in an unsecure position and even not know the information was compromised by another party, when the person could have maybe done otherwise without said algorithms.

Most of the commercial encryptions being used at the time used Electronic Codebook mode ECB, which was the simplest of the encryption codes, dividing messages into blocks and each block was encrypted separately. And when he talked to the authors of these implementations, they stated that they never heard of the weaknesses that ECB had, and that they didn't know anything about the Cipher Block Chaining CBC and Cipher Feedback modes. This showed that the people who wrote the commercial encryption software didn't know elementary concepts of cryptography, and that was not too reassuring for Zimmerman. So really what was going on in Zimmerman's mind in my opinion was that, these authors who sell us the commercial encryption software must think their algorithms are brilliant and trustworthy without showing why, so how would Zimmerman know it's brilliance if he couldn't read or even see the algorithm sold.

Also to add, that these algorithms were not sold by companies that specialized in cryptography which made it seem even more sketchy for the great Zimmerman. As we can see, those companies were selling encryption that looked good and encrypted the messages sent, but because the cipher text produced by a weak encryption algorithm looks as good as cipher text produced by a strong encryption algorithm, these companies didn't know how to tell if their algorithm was weak, which basically means that these companies never knew that they were really selling snake oil algorithms.

Based on everything said in this third reason, the NSA's job is to gather intelligence, by eavesdropping on people's private communication. And since people couldn't get good encryption software from those companies, this made the NSA's job way easier, since they could crack anything on the market due to their high expertise. So basically, the last reason Zimmerman published PGP, was because before it came, there was no strong secure encryption software available to the people of the United States of America.

With Zimmerman finally releasing PGP in 1991, the public had a highly secure general-purpose encryption software available on the internet, downloadable from anywhere. Zimmerman has selected the best algorithms from cryptologic academia, each algorithm individually subjected to a peer review, so as you can see, PGP was definitely the strongest piece of encryption software available worldwide at the time. Due to the strength that PGP has, the NSA was certainly not amused with its release, they didn't know how to crack it, and that interfered with their job, getting data and intelligence. So, during the early 90's to the mid 90's, around when PGP was released, Zimmerman was the target of 3 a year criminal investigation. This happened due to cryptanalytic skills being not so common, and finding people to crack hard algorithms is pretty hard, as well as PGP interfering with the NSA's job as well, so the government classified encryption software as a munition, and anything on the munitions list could not be exported without a special license.  Things on the munitions list include stinger missiles, advanced weaponry, and crypto surprisingly.

So basically, the government was trying to accuse Philip Zimmerman of violating the Arms Export Control Act which the mandatory sentencing guidelines were from 41 to 51 months in a federal prison, for publishing PGP on the internet, and it's spread overseas. And so, the 3-year investigation began. He had a legal defense fund, team and several lawyers working on his case. As well as a lead council that required funding because it wasn't backed up by a big law firm behind it. So Zimmerman had contributions from all over the world and worked hard so that he doesn't get indicted. Due to situation being followed by the cyberpunks and people who admired Zimmerman for PGP, the whole case was sort of out there and public, and basically people knew about the situation. Then the publicity made Zimmerman think and decide early on that it would be better off he did a lot of public speeches which normal criminal defense lawyers don't usually let their clients do. But again, due to the publicity, his legal team observed the situation and realized that maybe in this unique case, public speeches by Zimmerman might be a good idea. So Zimmerman acted on his idea and started giving public speeches at conferences, and each time he did, someone from the State Department, the part of State Department that enforces the act that Zimmerman supposedly broke, will be at the conference taking notes of Zimmerman's speech and also purchase the cassettes of Zimmerman's talks so that they could use it against him in the investigation. So, Zimmerman had to be very disciplined when giving his public speeches for his investigation.

As the criminal investigation was going on, Zimmerman was present at the first DEFCON conference ever held, in June of 1993 at Las Vegas Nevada. DEFCON is the world's largest convention, the attendees usually include computer scientists, security professionals, journalists, lawyers, federal government employees, and of course our beloved Zimmerman. During the convention, Zimmerman ran into somebody from MIT press, and he said that he would like to publish the PGP user's manual. Zimmerman thought that was a great idea, but he wanted to add another book and instead publish two books through MIT press. The first book being the PGP user's manual and the other one having the source code for PGP. The idea was for Zimmerman to use the other book in trial if he was going to get indicted because there was this other litigation going on that is pretty similar to his scenario. Phil Karn an electrical engineer who worked at Qualcomm in San Diego at the time, a telecom company, had bought Bruce Schneider's book called Applied Cryptography. Karn sent this book to the State Department, with an application to export it.

Although this book was already exported all around the world, but he asked for a commodity jurisdiction, which was under the control state department, but he wanted it to be declared under control by the commerce departments. He wanted that so it could be legally exported, because it was book they let it pass. What they didn't realize is that they were walking into a trap. Because then he took a floppy disk and put into an envelope with another commodity jurisdiction request, and sent that to the State Department. That floppy disk had source code that was published in the same book Applied Cryptography, it was source code for the federal data encryption standard from the appendix of the book. And obviously as usual, we know what the government thinks about crypto, they declined the request because you can't export encryption software. Same reason Zimmerman was under criminal investigation. So Karn engaged the department because they allowed the book to be exported but not the floppy disk which only contained the appendix of that same book, then they realized that they walked into Karn's trap.

So, while that was happening, Zimmerman was getting approached by MIT press, and he wanted to put the whole source code of PGP in the second book. Later MIT press, applied for the same thing as Karn, a commodity jurisdiction request. So basically, Zimmerman's situation was replica of Karn's except this time the State Department about the trap, and the book had all the source code, as well as the makefiles, not just a small part of the book is code in this scenario. But PGP was already all over the world, so there was no need to scan the book, but the objective of Zimmerman was to put the State Department in a predicament. So, the State Department asked the NSA. The NSA didn't want to say yes, but they knew that they couldn't say no the request due to this book being published by a well-known academic publisher, the MIT press, and because this was a serious violation of the First Amendment. So, the NSA actually didn't respond, and meanwhile MIT press sent the book all over the world.

Zimmerman and his legal team were hoping the NSA would at least respond, because if they said no that's a First Amendment Violation against the NSA, and if they approved the request, Zimmerman basically beat the investigation. Because if it was approved, Zimmerman was going to send a floppy disk containing PGP, as did Karn with his situation, but Karn would later sue the government in litigation due to all the rejected requests and the case kept on going till 2000 when Bill Clinton dropped all export controls on all crypto source code.

Coming back to Zimmerman, due to all of this, the Government/NSA finally had to drop the case against him because they couldn't really do much or else they would've faced court for First Amendment Violation.

 

Cite this page