Pretty Good Privacy (PGP)

If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable military grade public-key cryptographic technology. Until now. PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it. - Philip Zimmermann, Why Do You Need PGP?

PGP places Public Key Cryptography in the hands of every Internet user. Philip Zimmermann took a great personal risk in creating PGP and making it available to the world against the strong wishes of the US Government. While a difficult battle, he succeeded, and the program is now used around the world as the primary Internet encryption standard for email. The following subsections provide more information on PGP:

• PGP History
• Government Investigation
• Free Software Escapes
• More Information

PGP History. An otherwise quiet fellow named Philip Zimmermann obtained a bachelor's degree in computer science from Florida Atlantic University in 1978. He then worked as a software engineer with cryptographic systems, communications, and real-time systems.

On 17 April, 1991, the New York Times reported that the following non-binding resolution had been added to Bill 266 in the US Senate to encourage industry to add trap-doors to their networking equipment, of course including Internet networking equipment:

"It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."

Even though the bill was not passed, Zimmermann understood the resolution to mean that the US Government was one step away from introducing legislation outlawing secure communication systems for use by private citizens, thereby giving the state the ability to eavesdrop on any communications at any time. Indeed, legislation that made public key cryptography a form of protected munitions was introduced shortly thereafter, and then signed into law.

However, not before Zimmermann, working quickly to beat the legislation, developed the Pretty Good Privacy (PGP) program based on the RSA public-key cryptography algorithm. Zimmermann then released PGP 1.0 as freeware. Not long afterwards, Kelly Goen uploaded the PGP program onto some bulletin board systems, and shortly after that it was uploaded onto the Usenet where the cat escaped around the world.

Government investigation. Shocked and dismayed, the US Government then opened a criminal investigation of Zimmermann, Goen, and others to see if there was some way to penalize them retroactively for developing and distributing PGP. The two sides of this old argument are summarized below:

• Government's view. PGP provides an implementation of Public Key Cryptography, one of the most powerful technologies ever discovered by humankind, and could be used as easily for ill purposes as for good. Up to that point, Government action had kept PKC out of the hands of most renegade countries, criminal organizations, and terrorist groups, and the work Zimmermann and friends did on PGP rendered that work moot. The US Government believed they had a responsibility to restrict access to this technology as long as possible as a matter of overriding public safety -- doing their jobs.

• Individual's view. No matter how you dress it up, this is a basic issue of freedom of speech. The possibility that some people might use the technology for ill purposes was no reason to withhold it from everyone else. There is no right or need for the state to read all communications conducted by private individuals. Zimmermann believed he had a responsibility to put PGP in the hands of anyone that wanted to have private communications with someone else as a basic human right.

The individual rights view finally prevailed. The investigations of Zimmermann and supporters were finally dropped in early 1996 under strong pressure from free speech advocates and civil rights organizations around the world. Also in 1996, Zimmermann founded the software company PGP, which was then bought by Network Associates in December 1997, where Zimmermann became a Senior Fellow as well as an independent consultant, and which was later bought by McAfee.

Free software escapes. Zimmermann had based PGP 1.0 on the openly published RSA algorithm, and specified in the documentation that it was a user's responsibility to get a license if they wanted to use the software:

"The RSA public key cryptosystem was developed at MIT with Federal funding from grants from the National Science Foundation and the Navy. It is patented by MIT (U.S. patent #4,405,829, issued 20 Sep 1983). A company called Public Key Partners (PKP) holds the exclusive commercial license to sell and sub-license the RSA public key cryptosystem. For licensing details on the RSA algorithm, you can contact Robert Fougner at PKP, at 408/735-6779. The author of this software implementation of the RSA algorithm is providing this implementation for educational use only. Licensing this algorithm from PKP is the responsibility of you, the user, not Philip Zimmermann, the author of this software implementation."

Nevertheless, RSA immediately complained to Zimmermann that PGP enabled unlicensed use by unscrupulous users, an argument which didn't impress Zimmermann any more than the US Government's similar argument had earlier. Finally, they reached an agreement where RSA agreed not to bring legal action against Zimmermann, and Zimmermann agreed to stop distributing PGP, which was a small compromise since the program was already being developed and distributed by others around the world.

Not long afterwards, with Zimmermann's approval, MIT released PGP 2.5 based on the originally developed RSAREF 1.0 algorithm. RSA immediately complained about violation of their rights, but the situation was complicated... since MIT had a part interest in the original patent, RSA decided against further action.

MIT then began functioning as the official distributor of PGP. MIT and Zimmermann published a book that contained the PGP source code written in the C programming language, and printed in a special font designed to be easily read by computer scanners, which was legal since the US Supreme Court had consistently refused to ban any written expression.

However, while legal within the US, the MIT PGP version was still technically illegal internationally due to US export controls, so Stale Schumacher developed PGP 2.6xi using Zimmermann's original big integer library MPILIB. This made a version of PGP available around the world without legal restrictions for the first time.

Resources. The following sources provide more information on PGP:

• The International PGP Home Page
• MIT Distribution Center for PGP
• PGP Frequently Asked Questions files
• PGP Public Key Server
• PGP Timeline - Adam Back

Awards. In recognition of his efforts, Zimmermann and his work on PGP have been honored with the following awards:

• 1994 -- Information Week Most Important Products of 1994

• 1995 -- Chrysler Award for Innovation in Design

• 1995 -- Pioneer Award from the Electronic Frontier Foundation,

• 1995 -- Time Magazine Net 50, one of the 50 most influential people on the internet in 1995

• 1996 -- Norbert Wiener Award from Computer Professionals for Social Responsibility

• 1996 -- PC Week IT Excellence Award

• 1996 -- Network Computing Well-Connected Award for Best Security Product.

• 1998 -- Lifetime Achievement Award from Secure Computing Magazine.

• 1999 -- Louis Brandeis Award from Privacy International.