Phil Zimmermann, Cyber Rebel

** CRAM ** an366601 at anon.penet.fi
Wed Mar 6 06:09:36 PST 1996



brought to you by CRAM

===cut=here===

Cyber Rebel
by Maureen Harrington
Denver Post Sunday Empire Section
March 3, 1996

Boulder -- On a frigid Thursday morning in January, attorney
Philip DuBois received a fax in his Boulder office from the
Justice Department telling him the criminal investigation of
his client, computer engineer Philip Zimmermann, had been
dropped. It had been a nerve-racking three years for
Zimmermann, his family, friends, and the high-powered legal
team that had been advising him. Hailed as a folk hero and
cybersaint, Zimmermann had become a cause celebre in the
computer world. But he was Public Enemy No. 1 in the
intelligence community. No one would say why the feeds had
dropped their case against him, but many speculated that the
government didn't want to make Zimmermann the first digital
martyr.

Zimmermann's crime? In the early summer of 1991, he gave
away software he designed to scramble, or encrypt, computer
e-mail messages. It was intended to circumvent a critical
shortcoming of the Internet. Since its inception, the
international computer network had been a virtual sieve that
could be siphoned by anyone with a modem. Encryption had
always been a concern of the military and diplomatic corps,
but with the advent of the Internet, protecting information
became a commercial concern. Industry and individuals were
having enormous problems keeping their communications
private.

Zimmermann's software, going by the aw-shucks name of Pretty
Good Privacy, or PGP, solved that problem. He gave the
formula to a friend, who put it out on the Internet, making
it possible for an ordinary citizen to have a private
conversation on-line.

PGP sounds innocent enough. It's sort of an electronic
envelop to protect computer messages. Based on a
mathematical formula, it uses two "keys"--one private, used
only by the individual, and one public, given to anyone.
Each user has a unique set of keys and a digital "signature"
ensuring the reader that the people generating the messages
are really who they say they are.

Zimmermann intended his program to give individuals "the
right to be let alone," as Justice Louis D. Brandeis called
the privilege of privacy. But, his act has had an enormous
impact on the government, computer culture, and the
individuals who use and misuse the technology. Phil
Zimmermann's name may go down in cyberspace history--
whether as a hero or a villain.

PGP made Zimmermann's name a rallying cry for people who
don't want the government reading their e-mail-- and odd
coalition of civil libertarians, the Christian right and
computer professionals. But it also set off a firestorm in
the nation's house of spooks, the National Security Agency,
and lighted a fire under the FBI. Computer crime specialist
William Spernow predicts that criminals will be routinely
encrypting information within two years, making criminal
investigations doubly hard. As far as the surveillance
community was concerned, Zimmermann was the Antichrist,
making it possible for terrorists, pedophiles and drug lords
to flourish behind a shield for messages the super-computers
of the NSA couldn't crack.

Zimmermann acknowledges that his handiwork might be used for
criminal purposes. But the fuel of his motivation was moral
outrage at a government that may spy on its citizens. By
giving away PGP, the designer felt he could strike a pre-
emptive blow before the government made encryption illegal.
As it turns out, he made his move just in time.


Zimmermann, whether a folk hero or an aider and abettor of
criminals, is a man no one would pick out as a cyberspace
guerrilla.

John Perry Barlow, one of the founders of Electronic Freedom
Foundation, an influential cyberspace civil rights group,
describes him as "an apparently unformidable gnome on a
tight budget (who) now terrifies a security monolith which
required half a century, uncounted billions of dollars and
the collective IQs of a few thousand geniuses to develop."

Zimmermann didn't come out of one of the powerhouses of
academia. He went to Florida Atlantic University, where he
admits that his original major, physics, "was to hard. The
calculus got me."  He's definitely the odd man out with just
an undergraduate degree in a field crawling with Ph.D.s.  He
never joined one of the prestigious think tanks or labs on
the coasts. He's been in Boulder for nearly 20 years, on his
own, without benefit of grants. The Massachusetts Institute
of Technology distributes PGP and published "The Official
PGP Users Guide," but Zimmermann isn't one of their own.

Steve Welch, who's known Zimmermann since college and later
went into a boutique computer business with him that went
bust in the `80's, said, "I met Phil one night about 2 a.m.
in the computer room at college. He knew nothing about
computers. He'd just come over from the physics department.
Within one week, he was a better programmer than I was."

Zimmermann suffered the loneliness of many smartest-in-the-
class kids, along with the pain of a bleak childhood with
alcoholic parents. "We moved a lot. I went to a lot of
schools, and I think I got interested in cryptology then. I
played around with it myself."

"I thought I was a smart guy, figuring out codes, until I
read enough in the field to see how bad I really was," he
said, looking back from the safe distance of success.
Zimmermann claims he isn't humble, but he is quick to point
out, "I'm not the best cryptographer in the would. I figured
that out pretty quickly. But I'm probably the most famous."
He is powerful because of the fame. But he's more than a
little skittish about that.

"I think I've been effective with very few resources, so I'd
like to see what I could do with a company where I could
afford to have people working full time. But it's the power
structure I've been questioning most of my life, so I'm wary
of it... being seduced by it."


Watergate was the incubator of Zimmermann's political
awareness.

"I began to question a lot of things that government does
during that time. I worked for a year on a rape crisis
center line and I think... in some ways, I became more of a
humanist."

Graduating with a degree in computer science, Zimmermann and
his wife moved at the urging of friends to Boulder in 1978.
It was in that politically volatile environment that
Zimmermann became aware of the threat of nuclear
proliferation.

"In the early `80s we were ready to relocate to New
Zealand," he recalled. "We'd had our first child. I began to
think about the future and the threats to that future. We
had our visas and work papers all ready when we attended a
conference on the nuclear threat, in Denver." It was a
speech by Daniel Ellsberg that changed the Zimmermanns'
minds. "We decided to stay and fight," he said.

And fight he did. He began as any techno-wonk would, by
learning everything he could about the issues. Zimmermann
read military strategy and listened to the thinkers in the
opposition. He felt that too often the left refused to know
anything about those who disagree with them

"That makes you weak," he said.

The left was technophobic, as well. It became clear to
Zimmermann that the right had some real firepower. The
republicans had made very good use of computers in the 1984
campaign. To prevail, the newly minted activist realized
that the movement had to use everything in its power. And
that included computers.

Chet Tchozewski doesn't see as much of Phil as he did during
the `80s when both men were immersed in the nuclear freeze
community in Boulder, but he has watched Zimmermann's career
with interest and pride.

"Phil was invaluable to us," said Tchozewski. "Not only as a
speaker, at which he was very good, but because of his
technical knowledge and his remarkable intellectual
capacities. He asked very tough questions. He started a
study group and then he contributed his technical
expertise."

Tchozewski, now running the Boulder-based Global Green
Grants Fund, says that Zimmermann was arrested twice at anti-
nuclear demonstrations, but he thinks Zimmermann has been
more sorely tested in recent years.

"The first thing you see in Phil is his brightness, but it's
his integrity that is even more striking to me. Imagine the
courage it took not to cave in to the government. Imagine
what it took for this guy to give away PGP-- to walk away
from money-- what most people consider success. He took the
risk for something he believed in. He could work for big
industry or the government, but he doesn't."

"Phil may be gifted in computers, but clearly he's thought
deeply about civil disobedience and is influenced by Gandhi
and Thoreau, as well as by science."

Zimmermann did take the risk. He had begun thinking about
encryption after realizing that the government was breaking
into radical organizations.

"Mostly they were taking floppy disks with membership
information. It didn't take much to know we needed to keep
our communications secret. So I began to read the scholarly
papers on the subject and knew that some of the original
problems of encryption had been solved in the `70's by two
scholars at Stanford. I began to work on the problems."

One of the people Zimmermann contacted for help was Charlie
Merritt, a cryptographer in Arkansas. Merritt and his wife,
Hobbit, had made their own encryption program years earlier.

"We were selling encryption software abroad-- there wasn't
much use for it in the U.S. then, but a lot of foreign
customers were interested," said Merritt. "The NSA shut us
down. Pretty near ruined us. I'd been holding a grudge for
years, when Zimmermann called me. I was happy to help."

For two years, Zimmermann and Merritt talked on the phone.
Eventually Merritt spent a week in Boulder and showed
Zimmermann how to run the enormous series of numbers
necessary to create PGP. They continued to talk on the phone
until the program was nearly completed.

Hobbit Merritt added, "I think that the success of PGP is
due in part to the growing anti-government feeling in the
country. There are so many people-- conservative, liberal,
all kinds-- who have an uneasy feeling about the
government."

By 1990 Zimmermann had most of the pieces for PGP, but he
hadn't put it together. So he bit the bullet, taking on very
little consulting business and working seven 12-hour days a
week on the encryption program. It took him six months and
he missed five mortgage payments during that time. "I'm
pathologically optimistic," he said. "I had no idea it would
take that long."

In the middle of the process the government proposed Senate
Bill 266, which would essentially outlaw all private
encryption. Zimmermann knew then that he was in a  race with
the government. He beat them. In the summer of 1991, PGP was
posted on the Internet. He didn't post it himself, since "I
didn't know anything about the Internet, then. I barely knew
how to get e-mail."

The legislation has not become law, but the government is
still working on encryption standards. However, the battle
may have been lost-- partly because of Zimmermann. He
estimate there are 1 million users of PGP worldwide.

Early in 1993, Zimmermann got a call from U.S. customs
agents in San Jose, Calif. He thought they were asking for
his help. When he realized they were investigating him,
Zimmermann hired Phil DuBois, a criminal defense lawyer with
high-tech expertise practicing in Boulder. DuBois made an
unusual decision: He let Zimmermann talk to the agents.
"Usually I don't allow my clients to talk to law enforcement
agents. It's not to their benefit, since they've already
decided that my client is guilty. But Phil is so clearly not
a criminal that I let him talk with them."

The investigation intensified and it became clear to DuBois
and his client that they were investigating with the intent
to prosecute. It was then that Zimmermann put together a
team of lawyers across the country who worked on the case
pro bono.

"Phil has a genius for pulling really talented people around
him," DuBois said. "Most of us worked on this case because
we're concerned about the rights to privacy being violated,
but it's also an exciting legal case."

DuBois estimates that the bill would have been in the low-
to mid-six figures if everyone had charged for their work.
There is a legal defense fund for Zimmermann that, according
to DuBois, has brought in $1 contributions as well as a
$10,000 anonymous donation. It has reached the mid-five-
figure range.


Stewart A. Baker, chief counsel for the NSA, has written
about PGP in Wired magazine, the bible of the digitally
inclined. In his view, the fight for private Internet
communication has its dark side.

"Rather than rely on laws to protect us, (supporters of PGP)
say let's make wiretapping impossible. ... This sort of
reasoning is the long-delayed revenge of people who couldn't
go to Woodstock because they had too much trig homework. ...
Some argue that widespread availability (of PGP) will help
Latvian freedom fighters today (but) one of the earliest
users of PGP was a high-tech pedophile."

Zimmermann acknowledges the possible ugly uses of his
program.

"I've spent some sleepless nights worrying about what this
could be used for. I know that some evil is done, but I
believe that there is a greater good served here-- the right
to privacy."

"Law enforcement says that they need to be able to read
computer messages, just as they tap phones. However, they
have to have more ways to investigate than just tapping.
Criminals leave their footprints in the real world."

"I'm sickened by some of the people using this, but I have
to remember the Burmese freedom fighters using it to survive
and the scientists doing important work that needs to be
kept safe."

In a worst-case scenario of the investigation, the 42-year-
old software designer, husband and father of two would have
faced up to five years in prison and been forced to pay $1
million in fines.

Zimmermann was accused of breaking export laws-- of sending
across international borders what the G-men considered the
same as munitions or nuclear secrets. Zimmermann was seen by
his government as an intellectual gun-runner and threat to
western civilization. Jim Kallstrom, the FBI agent who has
been in charge of computer crime, has said about PGP, "Do we
want a digital superhighway... where major criminals can
operate impervious to the legal process?"

By setting PGP loose on the Internet, Zimmermann was accused
of sending his program across borders with[out] a license.
Of course, the law enforcement community was talking about
geographic borders. Defining cyberspace borders is far
trickier, let alone figuring out how to police them. That
would be the legal sticking point as the investigation
progressed.

The very right to privacy that Zimmermann had sought to
protect is akin to the privilege that President Clinton
invoked when he sought to keep his conversations with his
attorney private during the Whitewater investigations.
Ironically, it is the Clinton administration that has been
giving Zimmermann trouble.


It all began with the Clipper Chip.

Clipper is the technology offered by the government,
designed by the NSA, to encrypt messages, but with a "back
door" through which the government can gain access to read
the coded messages. Individuals and businesses that use the
Clipper would give the government a "key" to their encrypted
messages, allowing law enforcement the same right they have
now to tap phones. The government insists that any business
doing work for them use the Clipper, effectively forcing
them to allow the feds access to their communications.

Zimmermann is one of thousands of computer technocrats who
find that idea ludicrous. And dangerous: "If we let the
government go on in that blind way, we'll have a
surveillance society. And a watched society is a conformist
society. We will have totalitarianism if we don't guard
against it."

As Barlow put it, allowing the government to monitor your
computer communications is like "having a peeping Tom
install your window blinds."

Thousands of computer professionals have signed letters and
petitions decrying the use of Clipper. With Vice President
Al Gore's enthusiasm for the information highway and so many
allies in the computer business, the industry was taken by
surprise when Gore and the administration supported the
Clipper Chip. But then along came PGP. Within hours of
posting PGP on the Internet, the code was sent all over the
world, for anyone's use. That's what upsets the U.S.
government, in particular the NSA.

The super-secret intelligence arm of the U.S. government,
the NSA spends nearly $1 million an hour, $8 billion a year,
on around-the-world eavesdropping. They monitor computers,
phone lines, faxes, and telexes. With the defrosting of the
Cold War, NSA has had to rethink its priorities. Who was it
supposed to be listening to? On top of that was the
frustration of a whole new generation of eavesdropping-proof
technologies such as fiber-optic cable and the pesky PGP.
Zimmermann's stonewalling software was one problem too many.

NSA staffer Clint Brooks used to speak alongside Zimmermann
at privacy convention panels, but the agency now has gone
silent on PGP. According to a spokeswoman, "The agency does
not wish to comment on Mr. Zimmermann's personality,
business or other endeavors. We make no comments about
private encryption. We have nothing to say about the
investigation of Mr. Zimmermann."

At a conference on privacy at CU-Boulder in 1994, Dorothy
Denning, a proponent of the Clipper and chair of computer
sciences at Georgetown University in Washington, D.C.,
defended the chip. She told the crowd that the government
requests fewer than 1,000 wiretaps a year and the Clipper
"wouldn't make it any easier to tap phones, let alone
computer networks."

Denning insists that if the government had no key to
encrypted information too many criminals and terrorists
would find their work easier.

Marc Rotenberg, an expert on privacy and a lawyer for the
Electronic Privacy Information Center, or EPIC, sees
Zimmermann in quite a different light: "It's significant
that one person who sticks by his principles can make the
U.S. government back down. That doesn't happen every day.
The decision (to discontinue the investigation) doesn't
(establish a judicial precedent)... but it may mean the
government will be more careful in considering future
prosecutions."

Rottenberg says the Zimmermann case has forced the public to
raise questions about the role of the NSA in regulating
encryption, and "perhaps he has helped our government take a
look at outdated laws that were drawn up in the Cold Ware
era. Society is changing. Because of the Internet,
encryption is needed not just for the military, but also by
commercial interests as well as individuals. Phil
Zimmermann's actions and stand will affect policy, in my
opinion."

On the other side of the coin, Kallstrom, the FBI agent who
has been involved in the Zimmermann case, sees him as
helping criminals do their worst. However, Kallstrom added,
"Phil Zimmermann is very charming and well-intentioned. If
he would work for government wages we'd be happy to have
him."


Several days after leaning that the federal government was
dropping its investigation, Zimmermann is having a helluva
day. It's his 42nd birthday. He's leaving for Iceland
tomorrow, then on to Monte Carlo with a final stopover in
Paris.

"Only I would go to Iceland in February," he says on this
Monday morning. He'll be speaking on privacy and seeing
bankers, venture capitalists and other cryptologists.

He'd like to squeeze in the Louvre. He's never been to
Paris. He's taking his wife, Casey. She stood by him through
some tough years, waiting to see if he was going to be
spending time in prison, with no idea of what the future
held.

Zimmermann's future is finally here, now that the feds have
thrown in the towel and he's free to get on with his life.
And he's not missing one nanosecond of his 15 minutes.

There was a party in his honor the previous Saturday night.
He's been up since 9 a.m. having his picture taken,
something he's done an average of once a week for two years
since his case hit the media. Venture capitalists from
Atlanta, a genial father-and-son duo, flew in for a brief
dinner with him on Sunday night and 20 minutes of his time
Monday morning. They came bearing a gift: a black glove-
leather motorcycle jacket with a Harley Davidson logo. The
gift must have set them back $500. There's millions more
dollars where that came from, and they'd like to give some
to Zimmermann to help fund his new business.

The new company is going to make PGP look like small
potatoes, according to Zimmermann. He says he has developed
an encryption program for telephones. This software
application will make phone tapping virtually impossible.

"It'll have the government going ballistic," crows
Zimmermann. The uses are unlimited, especially if it's
inexpensive, impenetrable and easy to use. So far, the test
model has fulfilled all those criteria. The word is out and
entrepreneurs are coming out of the woodwork.

Zimmermann's pace has accelerated. He can hardly answer his
e-mail and admits that every once in a while when the voice
mail is out of hand he just dumps it all and assumes anyone
with something important to say will call back. On his phone
answering tape, he patiently explains that he can't help
everyone who calls him for help with PGP.

He's tired of "the guys who think they see black
helicopters, but I have had some extraordinary conversations
with people using PGP." He may have to take his `60s vintage
Volkswagen bus to the shop to be fixed. He used to fix it
himself.

Even though his schedule has gone into warp speed,
Zimmermann is finding the time to do a few things for
himself. A little absent-minded, perennially rumpled, with
curly hair and beard, he's decided to throw of the sartorial
schackles and become "Phil Zimmermann: Bad Boy
Cryptologist." He laughs, but he's not kidding. He loves
that motorcycle jacket.

"After all this attention and tension," he says, "I just
want to do some things for fun. I've been wearing a suit and
being careful of what I say and how I appear because of this
investigation. Now it's time for some other things."

Ever since the feds dropped their investigation Jan. 11,
he's been spending time in fancy hotels in Silicon Valley,
listening to CEOs woo him and consulting with the behemoths
of technology.

"It's a lot of fun," he says, a bit incredulous. "Guys who
have run huge companies want to talk to me."

Zimmermann may have become familiar with the toys and
terrain of the Silicon Valley potentates and he may miss the
Louvre if the French bankers demand all his attention, but
Saturday night was like old times.

His wife threw a "Phil Got Off the Hook Party" at the Rocky
Mountain Peace Center, a funky meeting hall for lefties.

It was a gathering of peacenik friends from his nuclear
protest days, family and lawyers. Guys with shoulder-length
hair scarfed potluck casseroles and talked gigabytes. It
ended early. The kids had to get up to bed. Phil cleaned up,
recycling the trash, and carefully bagging the leftovers.


(Mareen Harrington is the staff writer for Empire Magazine)


Sidebar: PGP was huge leap forward for cryptography

Historically cryptology has been the realm of spies. It was
the veil drawn over military secrets and diplomatic pouches.
The cracking of the super-secret Nazi code Enigma by the
Allies helped win the Second World War.

With the invention of cyberspace, the need to identify
message senders and to send messages so that others cannot
read them has become a necessity in business and personal
lives. The shift was created by the computer, fax, and phone
communications. It has become increasingly obvious that
almost anyone can listen to or read information from these
sources.

Two-key cryptography, one of the most important advances in
the field and which made PGP possible, was discovered by
Whitfield Diffie and Martin Hellman, professors at Stanford
University. In this system every user has two keys. The
first is a public one, given out to correspondents. The
second is a private one, kept by the individual. Before,
there had been a third party, a key manager, who kept the
keys. In two-key cryptography there is no their party to be
trusted.

After Diffie and Hellman published their findings in 1976,
three MIT mathematicians developed a system to put two-key
cryptography into practice. Their company is called RSA.

Philip Zimmermann came along in the 1980s, took the
information others had developed and created PGP.

Using the software's public key, one individual can send a
scrambled message with his digital signature to another.
That person will use his private key to unscramble the
message. As Diffie and Hellman predicted, there is no need
for a trusted third party.

Zimmermann has published his code system in book form so
that it can be examined by anyone. Despite that publication,
no one has been able to break the code, since it is longer
and more complicated than even the most sophisticated of the
known government encryption formulas. Because no one has
been able to break the code, users of PGP know that it is
trustworthy-- so far.



 \   \   \   \   \   \   \   \   \   |   /   /   /   /   /   /   /   /   /   /
          _______       ________          _____        _____  _____
         ///   \\\      |||   \\\        /// \\\       |||\\\///|||
        |||     ~~      |||   ///       |||   |||      ||| \\// |||
        |||     __      |||~~~\\\       |||~~~|||      |||  ~~  |||
         \\\   ///      |||    \\\      |||   |||      |||      |||
          ~~~~~~~       ~~~     ~~~     ~~~   ~~~      ~~~      ~~~
 /   /   /   /   /   /   /   /   /   |   \   \   \   \   \   \   \   \   \   \

C y b e r s p a t i a l  R e a l i t y  A d v a n c e m e n t  M o v e m e n t
--****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION***
Your e-mail reply to this message WILL be *automatically* ANONYMIZED.
Please, report inappropriate use to                abuse at anon.penet.fi
For information (incl. non-anon reply) write to    help at anon.penet.fi
If you have any problems, address them to          admin at anon.penet.fi






More information about the cypherpunks-legacy mailing list