brought to you by CRAM ===cut=here=== Cyber Rebel by Maureen Harrington Denver Post Sunday Empire Section March 3, 1996 Boulder -- On a frigid Thursday morning in January, attorney Philip DuBois received a fax in his Boulder office from the Justice Department telling him the criminal investigation of his client, computer engineer Philip Zimmermann, had been dropped. It had been a nerve-racking three years for Zimmermann, his family, friends, and the high-powered legal team that had been advising him. Hailed as a folk hero and cybersaint, Zimmermann had become a cause celebre in the computer world. But he was Public Enemy No. 1 in the intelligence community. No one would say why the feeds had dropped their case against him, but many speculated that the government didn't want to make Zimmermann the first digital martyr. Zimmermann's crime? In the early summer of 1991, he gave away software he designed to scramble, or encrypt, computer e-mail messages. It was intended to circumvent a critical shortcoming of the Internet. Since its inception, the international computer network had been a virtual sieve that could be siphoned by anyone with a modem. Encryption had always been a concern of the military and diplomatic corps, but with the advent of the Internet, protecting information became a commercial concern. Industry and individuals were having enormous problems keeping their communications private. Zimmermann's software, going by the aw-shucks name of Pretty Good Privacy, or PGP, solved that problem. He gave the formula to a friend, who put it out on the Internet, making it possible for an ordinary citizen to have a private conversation on-line. PGP sounds innocent enough. It's sort of an electronic envelop to protect computer messages. Based on a mathematical formula, it uses two "keys"--one private, used only by the individual, and one public, given to anyone. Each user has a unique set of keys and a digital "signature" ensuring the reader that the people generating the messages are really who they say they are. Zimmermann intended his program to give individuals "the right to be let alone," as Justice Louis D. Brandeis called the privilege of privacy. But, his act has had an enormous impact on the government, computer culture, and the individuals who use and misuse the technology. Phil Zimmermann's name may go down in cyberspace history-- whether as a hero or a villain. PGP made Zimmermann's name a rallying cry for people who don't want the government reading their e-mail-- and odd coalition of civil libertarians, the Christian right and computer professionals. But it also set off a firestorm in the nation's house of spooks, the National Security Agency, and lighted a fire under the FBI. Computer crime specialist William Spernow predicts that criminals will be routinely encrypting information within two years, making criminal investigations doubly hard. As far as the surveillance community was concerned, Zimmermann was the Antichrist, making it possible for terrorists, pedophiles and drug lords to flourish behind a shield for messages the super-computers of the NSA couldn't crack. Zimmermann acknowledges that his handiwork might be used for criminal purposes. But the fuel of his motivation was moral outrage at a government that may spy on its citizens. By giving away PGP, the designer felt he could strike a pre- emptive blow before the government made encryption illegal. As it turns out, he made his move just in time. Zimmermann, whether a folk hero or an aider and abettor of criminals, is a man no one would pick out as a cyberspace guerrilla. John Perry Barlow, one of the founders of Electronic Freedom Foundation, an influential cyberspace civil rights group, describes him as "an apparently unformidable gnome on a tight budget (who) now terrifies a security monolith which required half a century, uncounted billions of dollars and the collective IQs of a few thousand geniuses to develop." Zimmermann didn't come out of one of the powerhouses of academia. He went to Florida Atlantic University, where he admits that his original major, physics, "was to hard. The calculus got me." He's definitely the odd man out with just an undergraduate degree in a field crawling with Ph.D.s. He never joined one of the prestigious think tanks or labs on the coasts. He's been in Boulder for nearly 20 years, on his own, without benefit of grants. The Massachusetts Institute of Technology distributes PGP and published "The Official PGP Users Guide," but Zimmermann isn't one of their own. Steve Welch, who's known Zimmermann since college and later went into a boutique computer business with him that went bust in the `80's, said, "I met Phil one night about 2 a.m. in the computer room at college. He knew nothing about computers. He'd just come over from the physics department. Within one week, he was a better programmer than I was." Zimmermann suffered the loneliness of many smartest-in-the- class kids, along with the pain of a bleak childhood with alcoholic parents. "We moved a lot. I went to a lot of schools, and I think I got interested in cryptology then. I played around with it myself." "I thought I was a smart guy, figuring out codes, until I read enough in the field to see how bad I really was," he said, looking back from the safe distance of success. Zimmermann claims he isn't humble, but he is quick to point out, "I'm not the best cryptographer in the would. I figured that out pretty quickly. But I'm probably the most famous." He is powerful because of the fame. But he's more than a little skittish about that. "I think I've been effective with very few resources, so I'd like to see what I could do with a company where I could afford to have people working full time. But it's the power structure I've been questioning most of my life, so I'm wary of it... being seduced by it." Watergate was the incubator of Zimmermann's political awareness. "I began to question a lot of things that government does during that time. I worked for a year on a rape crisis center line and I think... in some ways, I became more of a humanist." Graduating with a degree in computer science, Zimmermann and his wife moved at the urging of friends to Boulder in 1978. It was in that politically volatile environment that Zimmermann became aware of the threat of nuclear proliferation. "In the early `80s we were ready to relocate to New Zealand," he recalled. "We'd had our first child. I began to think about the future and the threats to that future. We had our visas and work papers all ready when we attended a conference on the nuclear threat, in Denver." It was a speech by Daniel Ellsberg that changed the Zimmermanns' minds. "We decided to stay and fight," he said. And fight he did. He began as any techno-wonk would, by learning everything he could about the issues. Zimmermann read military strategy and listened to the thinkers in the opposition. He felt that too often the left refused to know anything about those who disagree with them "That makes you weak," he said. The left was technophobic, as well. It became clear to Zimmermann that the right had some real firepower. The republicans had made very good use of computers in the 1984 campaign. To prevail, the newly minted activist realized that the movement had to use everything in its power. And that included computers. Chet Tchozewski doesn't see as much of Phil as he did during the `80s when both men were immersed in the nuclear freeze community in Boulder, but he has watched Zimmermann's career with interest and pride. "Phil was invaluable to us," said Tchozewski. "Not only as a speaker, at which he was very good, but because of his technical knowledge and his remarkable intellectual capacities. He asked very tough questions. He started a study group and then he contributed his technical expertise." Tchozewski, now running the Boulder-based Global Green Grants Fund, says that Zimmermann was arrested twice at anti- nuclear demonstrations, but he thinks Zimmermann has been more sorely tested in recent years. "The first thing you see in Phil is his brightness, but it's his integrity that is even more striking to me. Imagine the courage it took not to cave in to the government. Imagine what it took for this guy to give away PGP-- to walk away from money-- what most people consider success. He took the risk for something he believed in. He could work for big industry or the government, but he doesn't." "Phil may be gifted in computers, but clearly he's thought deeply about civil disobedience and is influenced by Gandhi and Thoreau, as well as by science." Zimmermann did take the risk. He had begun thinking about encryption after realizing that the government was breaking into radical organizations. "Mostly they were taking floppy disks with membership information. It didn't take much to know we needed to keep our communications secret. So I began to read the scholarly papers on the subject and knew that some of the original problems of encryption had been solved in the `70's by two scholars at Stanford. I began to work on the problems." One of the people Zimmermann contacted for help was Charlie Merritt, a cryptographer in Arkansas. Merritt and his wife, Hobbit, had made their own encryption program years earlier. "We were selling encryption software abroad-- there wasn't much use for it in the U.S. then, but a lot of foreign customers were interested," said Merritt. "The NSA shut us down. Pretty near ruined us. I'd been holding a grudge for years, when Zimmermann called me. I was happy to help." For two years, Zimmermann and Merritt talked on the phone. Eventually Merritt spent a week in Boulder and showed Zimmermann how to run the enormous series of numbers necessary to create PGP. They continued to talk on the phone until the program was nearly completed. Hobbit Merritt added, "I think that the success of PGP is due in part to the growing anti-government feeling in the country. There are so many people-- conservative, liberal, all kinds-- who have an uneasy feeling about the government." By 1990 Zimmermann had most of the pieces for PGP, but he hadn't put it together. So he bit the bullet, taking on very little consulting business and working seven 12-hour days a week on the encryption program. It took him six months and he missed five mortgage payments during that time. "I'm pathologically optimistic," he said. "I had no idea it would take that long." In the middle of the process the government proposed Senate Bill 266, which would essentially outlaw all private encryption. Zimmermann knew then that he was in a race with the government. He beat them. In the summer of 1991, PGP was posted on the Internet. He didn't post it himself, since "I didn't know anything about the Internet, then. I barely knew how to get e-mail." The legislation has not become law, but the government is still working on encryption standards. However, the battle may have been lost-- partly because of Zimmermann. He estimate there are 1 million users of PGP worldwide. Early in 1993, Zimmermann got a call from U.S. customs agents in San Jose, Calif. He thought they were asking for his help. When he realized they were investigating him, Zimmermann hired Phil DuBois, a criminal defense lawyer with high-tech expertise practicing in Boulder. DuBois made an unusual decision: He let Zimmermann talk to the agents. "Usually I don't allow my clients to talk to law enforcement agents. It's not to their benefit, since they've already decided that my client is guilty. But Phil is so clearly not a criminal that I let him talk with them." The investigation intensified and it became clear to DuBois and his client that they were investigating with the intent to prosecute. It was then that Zimmermann put together a team of lawyers across the country who worked on the case pro bono. "Phil has a genius for pulling really talented people around him," DuBois said. "Most of us worked on this case because we're concerned about the rights to privacy being violated, but it's also an exciting legal case." DuBois estimates that the bill would have been in the low- to mid-six figures if everyone had charged for their work. There is a legal defense fund for Zimmermann that, according to DuBois, has brought in $1 contributions as well as a $10,000 anonymous donation. It has reached the mid-five- figure range. Stewart A. Baker, chief counsel for the NSA, has written about PGP in Wired magazine, the bible of the digitally inclined. In his view, the fight for private Internet communication has its dark side. "Rather than rely on laws to protect us, (supporters of PGP) say let's make wiretapping impossible. ... This sort of reasoning is the long-delayed revenge of people who couldn't go to Woodstock because they had too much trig homework. ... Some argue that widespread availability (of PGP) will help Latvian freedom fighters today (but) one of the earliest users of PGP was a high-tech pedophile." Zimmermann acknowledges the possible ugly uses of his program. "I've spent some sleepless nights worrying about what this could be used for. I know that some evil is done, but I believe that there is a greater good served here-- the right to privacy." "Law enforcement says that they need to be able to read computer messages, just as they tap phones. However, they have to have more ways to investigate than just tapping. Criminals leave their footprints in the real world." "I'm sickened by some of the people using this, but I have to remember the Burmese freedom fighters using it to survive and the scientists doing important work that needs to be kept safe." In a worst-case scenario of the investigation, the 42-year- old software designer, husband and father of two would have faced up to five years in prison and been forced to pay $1 million in fines. Zimmermann was accused of breaking export laws-- of sending across international borders what the G-men considered the same as munitions or nuclear secrets. Zimmermann was seen by his government as an intellectual gun-runner and threat to western civilization. Jim Kallstrom, the FBI agent who has been in charge of computer crime, has said about PGP, "Do we want a digital superhighway... where major criminals can operate impervious to the legal process?" By setting PGP loose on the Internet, Zimmermann was accused of sending his program across borders with[out] a license. Of course, the law enforcement community was talking about geographic borders. Defining cyberspace borders is far trickier, let alone figuring out how to police them. That would be the legal sticking point as the investigation progressed. The very right to privacy that Zimmermann had sought to protect is akin to the privilege that President Clinton invoked when he sought to keep his conversations with his attorney private during the Whitewater investigations. Ironically, it is the Clinton administration that has been giving Zimmermann trouble. It all began with the Clipper Chip. Clipper is the technology offered by the government, designed by the NSA, to encrypt messages, but with a "back door" through which the government can gain access to read the coded messages. Individuals and businesses that use the Clipper would give the government a "key" to their encrypted messages, allowing law enforcement the same right they have now to tap phones. The government insists that any business doing work for them use the Clipper, effectively forcing them to allow the feds access to their communications. Zimmermann is one of thousands of computer technocrats who find that idea ludicrous. And dangerous: "If we let the government go on in that blind way, we'll have a surveillance society. And a watched society is a conformist society. We will have totalitarianism if we don't guard against it." As Barlow put it, allowing the government to monitor your computer communications is like "having a peeping Tom install your window blinds." Thousands of computer professionals have signed letters and petitions decrying the use of Clipper. With Vice President Al Gore's enthusiasm for the information highway and so many allies in the computer business, the industry was taken by surprise when Gore and the administration supported the Clipper Chip. But then along came PGP. Within hours of posting PGP on the Internet, the code was sent all over the world, for anyone's use. That's what upsets the U.S. government, in particular the NSA. The super-secret intelligence arm of the U.S. government, the NSA spends nearly $1 million an hour, $8 billion a year, on around-the-world eavesdropping. They monitor computers, phone lines, faxes, and telexes. With the defrosting of the Cold War, NSA has had to rethink its priorities. Who was it supposed to be listening to? On top of that was the frustration of a whole new generation of eavesdropping-proof technologies such as fiber-optic cable and the pesky PGP. Zimmermann's stonewalling software was one problem too many. NSA staffer Clint Brooks used to speak alongside Zimmermann at privacy convention panels, but the agency now has gone silent on PGP. According to a spokeswoman, "The agency does not wish to comment on Mr. Zimmermann's personality, business or other endeavors. We make no comments about private encryption. We have nothing to say about the investigation of Mr. Zimmermann." At a conference on privacy at CU-Boulder in 1994, Dorothy Denning, a proponent of the Clipper and chair of computer sciences at Georgetown University in Washington, D.C., defended the chip. She told the crowd that the government requests fewer than 1,000 wiretaps a year and the Clipper "wouldn't make it any easier to tap phones, let alone computer networks." Denning insists that if the government had no key to encrypted information too many criminals and terrorists would find their work easier. Marc Rotenberg, an expert on privacy and a lawyer for the Electronic Privacy Information Center, or EPIC, sees Zimmermann in quite a different light: "It's significant that one person who sticks by his principles can make the U.S. government back down. That doesn't happen every day. The decision (to discontinue the investigation) doesn't (establish a judicial precedent)... but it may mean the government will be more careful in considering future prosecutions." Rottenberg says the Zimmermann case has forced the public to raise questions about the role of the NSA in regulating encryption, and "perhaps he has helped our government take a look at outdated laws that were drawn up in the Cold Ware era. Society is changing. Because of the Internet, encryption is needed not just for the military, but also by commercial interests as well as individuals. Phil Zimmermann's actions and stand will affect policy, in my opinion." On the other side of the coin, Kallstrom, the FBI agent who has been involved in the Zimmermann case, sees him as helping criminals do their worst. However, Kallstrom added, "Phil Zimmermann is very charming and well-intentioned. If he would work for government wages we'd be happy to have him." Several days after leaning that the federal government was dropping its investigation, Zimmermann is having a helluva day. It's his 42nd birthday. He's leaving for Iceland tomorrow, then on to Monte Carlo with a final stopover in Paris. "Only I would go to Iceland in February," he says on this Monday morning. He'll be speaking on privacy and seeing bankers, venture capitalists and other cryptologists. He'd like to squeeze in the Louvre. He's never been to Paris. He's taking his wife, Casey. She stood by him through some tough years, waiting to see if he was going to be spending time in prison, with no idea of what the future held. Zimmermann's future is finally here, now that the feds have thrown in the towel and he's free to get on with his life. And he's not missing one nanosecond of his 15 minutes. There was a party in his honor the previous Saturday night. He's been up since 9 a.m. having his picture taken, something he's done an average of once a week for two years since his case hit the media. Venture capitalists from Atlanta, a genial father-and-son duo, flew in for a brief dinner with him on Sunday night and 20 minutes of his time Monday morning. They came bearing a gift: a black glove- leather motorcycle jacket with a Harley Davidson logo. The gift must have set them back $500. There's millions more dollars where that came from, and they'd like to give some to Zimmermann to help fund his new business. The new company is going to make PGP look like small potatoes, according to Zimmermann. He says he has developed an encryption program for telephones. This software application will make phone tapping virtually impossible. "It'll have the government going ballistic," crows Zimmermann. The uses are unlimited, especially if it's inexpensive, impenetrable and easy to use. So far, the test model has fulfilled all those criteria. The word is out and entrepreneurs are coming out of the woodwork. Zimmermann's pace has accelerated. He can hardly answer his e-mail and admits that every once in a while when the voice mail is out of hand he just dumps it all and assumes anyone with something important to say will call back. On his phone answering tape, he patiently explains that he can't help everyone who calls him for help with PGP. He's tired of "the guys who think they see black helicopters, but I have had some extraordinary conversations with people using PGP." He may have to take his `60s vintage Volkswagen bus to the shop to be fixed. He used to fix it himself. Even though his schedule has gone into warp speed, Zimmermann is finding the time to do a few things for himself. A little absent-minded, perennially rumpled, with curly hair and beard, he's decided to throw of the sartorial schackles and become "Phil Zimmermann: Bad Boy Cryptologist." He laughs, but he's not kidding. He loves that motorcycle jacket. "After all this attention and tension," he says, "I just want to do some things for fun. I've been wearing a suit and being careful of what I say and how I appear because of this investigation. Now it's time for some other things." Ever since the feds dropped their investigation Jan. 11, he's been spending time in fancy hotels in Silicon Valley, listening to CEOs woo him and consulting with the behemoths of technology. "It's a lot of fun," he says, a bit incredulous. "Guys who have run huge companies want to talk to me." Zimmermann may have become familiar with the toys and terrain of the Silicon Valley potentates and he may miss the Louvre if the French bankers demand all his attention, but Saturday night was like old times. His wife threw a "Phil Got Off the Hook Party" at the Rocky Mountain Peace Center, a funky meeting hall for lefties. It was a gathering of peacenik friends from his nuclear protest days, family and lawyers. Guys with shoulder-length hair scarfed potluck casseroles and talked gigabytes. It ended early. The kids had to get up to bed. Phil cleaned up, recycling the trash, and carefully bagging the leftovers. (Mareen Harrington is the staff writer for Empire Magazine) Sidebar: PGP was huge leap forward for cryptography Historically cryptology has been the realm of spies. It was the veil drawn over military secrets and diplomatic pouches. The cracking of the super-secret Nazi code Enigma by the Allies helped win the Second World War. With the invention of cyberspace, the need to identify message senders and to send messages so that others cannot read them has become a necessity in business and personal lives. The shift was created by the computer, fax, and phone communications. It has become increasingly obvious that almost anyone can listen to or read information from these sources. Two-key cryptography, one of the most important advances in the field and which made PGP possible, was discovered by Whitfield Diffie and Martin Hellman, professors at Stanford University. In this system every user has two keys. The first is a public one, given out to correspondents. The second is a private one, kept by the individual. Before, there had been a third party, a key manager, who kept the keys. In two-key cryptography there is no their party to be trusted. After Diffie and Hellman published their findings in 1976, three MIT mathematicians developed a system to put two-key cryptography into practice. Their company is called RSA. Philip Zimmermann came along in the 1980s, took the information others had developed and created PGP. Using the software's public key, one individual can send a scrambled message with his digital signature to another. That person will use his private key to unscramble the message. As Diffie and Hellman predicted, there is no need for a trusted third party. Zimmermann has published his code system in book form so that it can be examined by anyone. Despite that publication, no one has been able to break the code, since it is longer and more complicated than even the most sophisticated of the known government encryption formulas. Because no one has been able to break the code, users of PGP know that it is trustworthy-- so far. \ \ \ \ \ \ \ \ \ | / / / / / / / / / / _______ ________ _____ _____ _____ /// \\\ ||| \\\ /// \\\ |||\\\///||| ||| ~~ ||| /// ||| ||| ||| \\// ||| ||| __ |||~~~\\\ |||~~~||| ||| ~~ ||| \\\ /// ||| \\\ ||| ||| ||| ||| ~~~~~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~ / / / / / / / / / | \ \ \ \ \ \ \ \ \ \ C y b e r s p a t i a l R e a l i t y A d v a n c e m e n t M o v e m e n t --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse@anon.penet.fi For information (incl. non-anon reply) write to help@anon.penet.fi If you have any problems, address them to admin@anon.penet.fi