Pretty, Pretty, Pretty Good Privacy

The first attempt at offering commercially available email encryption software found its distributor charged with trafficking in illegal arms.

The first commercially available email encryption software appeared online in 1991 as freeware uploaded by a computer programmer named Philip Zimmerman who wanted to enable ordinary computer users to safeguard their communications. Zimmerman named the software “Pretty Good Privacy” (PGP) in homage to “Ralph’s Pretty Good Groceries” on Prairie Home Companion. From one point of view, this was a grassroots effort to bring secure encryption to the masses for the common good. The US government, however, did not share that point of view. Zimmermann was charged with trafficking in illegal arms, and his legal defense would take years.

Historically, cryptography had been the exclusive domain of professional spies. That was changing, though, as civilian mathematicians developed groundbreaking cryptographic algorithms in the 1970s, bringing previously arcane techniques into the reach of consumers and businesses. The National Security Agency (NSA) and other government bodies charged with national security feared that their missions would be compromised once secure encryption permitted terrorists and foreign threats to operate in secret.

Asymmetric cryptography is a tool to allow parties with no prior knowledge of one another to establish a secure channel of communication. The heart of the algorithm depends on the inherent difficulty in factoring large prime numbers. Multiplying two large prime numbers together is easy—but reversing that operation to factor out which two primes were the starting inputs is a task for which there is no computational shortcut. Even the smartest machines have no choice but to attack that problem with raw brute force. Asymmetric cryptographic tools use this mathematical fact to generate a pair of encryption keys that are different from each other, impervious to reverse engineering, but still mathematically entangled with each other.

Having generated the key pair, it is safe to openly distribute one of those keys (the public key) and keep the other one (the private key) secret. The technology is designed such that only the entangled public and private keys can reverse each other’s operations. Only the public key can unlock something locked by the private key, and vice versa. In practice, this means that a person can freely share their public key with anyone and everyone, with the comfort of knowing that any communications encrypted by that key can only be decrypted and read using their secret private key.

The result allows strangers to send encrypted communications back and forth, secure from eavesdroppers.

Therein lay the threat to government officials charged with eavesdropping.

Policing such new technology was both legally and technologically difficult. The one meaningful leverage that the government could use to stem the flow of encryption technology was the Department of State’s authority to regulate the export of so-called “munitions”—that is, anything that the State Department decrees has a fundamentally military purpose. Once the State Department declared cryptography a munition, it could control whether any given encryption algorithm could be legally exported from the US. If software companies did not want to restrict their market to US buyers, they had to cooperate with the NSA to weaken their encryption in ways that compromised their security and commercial value but allowed the government to surveil on “encrypted” data unimpeded.

This caused an impasse that lasted decades. The technology existed to provide greater security to consumers and users, and the businesses that made that technology wanted to provide it to their customers, who were in turn happy to pay for it—but governmental regulation blocked cryptography from reaching its full potential.

Then Philip Zimmermann came along. He was an activist against nuclear proliferation who was also concerned about Big Brother-style surveillance of politically sensitive speech. Through a combination of naiveté, willful blindness, and moxie, Zimmerman posted to the internet a user-friendly version of uncompromised, secure public key encryption as freeware, with no heed paid to the prohibition on international distribution.

For the next three years, Zimmermann faced the risk of a million-dollar fine and five years in prison for exporting munitions without a license. He did not have deep pockets to fund his defense. Then, when the situation seemed at its most dire, Zimmermann pulled a gonzo stunt that—depending on who tells the story—was either a bizarrely provocative gimmick or a clever ploy that ended the investigation. In 1995, Zimmerman arranged with MIT Press to publish the PGP source code in book form. He then sought an export license for the book.

This put the government in a bind. By tradition, direct case precedent, and overarching First Amendment principles, the government would have to permit the export of the book—which would in turn undermine the very premise of prosecuting Zimmermann. How could it be a crime to distribute electronically something that could be lawfully distributed on paper? Alternatively, the government could oppose the export license—but that would almost certainly be overturned by the courts, creating a ruinous ruling for any continued regulation of cryptography.

On January 11, 1996, Zimmermann received welcome news that the US Attorney’s Office had dropped its case against him. At around the same time, the Clinton administration began relaxing export controls on cryptography technologies. By 2000, there had been a complete about-face on cryptographic policy, all but removing meaningful regulations on the development and distribution of encryption systems.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.